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ABSTRACT 


In  this  study,  we  investigated  an  algebraic-type  attack,  known  as  the  cube 
attack,  against  wireless  networks.  We  implemented  the  cube  attack  in  a  wireless 
system,  namely  Bluetooth.  We  formally  modeled  the  encryption  function  of  EO 
Bluetooth  key  generator  and  automated  the  process  of  the  cube  attack  on  EO  of 
the  factorization  process  (preprocessing  phase).  In  this  phase,  an  attacker  finds 
as  many  maxterms  (a  term  of  the  encryption  function  such  that  its  co-factor  is  a 
linear  nonconstant  polynomial)  as  possible.  In  the  actual  attacking  phase,  the 
attacker  solves  the  system  of  linear  equations  through  a  chosen  plaintext  attack 
and  reveals  useful  information  about  the  cryptosystem.  The  number  of  operations 
needed  in  the  computational  process  is  2^' ‘and  is  considerably  less  than  that  of 
similar  algebraic  types  of  attacks,  but  it  is  limited  to  the  output  of  the  LFSRs  at 
any  clock  cycle.  The  results  of  our  analysis  indicate  that  if  an  attacker  is  an 
unauthorized  participant  of  the  security  protocol,  then  by  manipulating  some  of 
the  output  bits  of  the  LFSRs  of  two  arbitrary  clock  cycles  and  intercepting  the 
output  bits  of  the  entire  machine  the  attacker  then  succeeds  in  finding  the  output 
bits  of  the  LFSRs  at  any  clock  tick. 
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EXECUTIVE  SUMMARY 


In  this  study,  we  investigated  an  algebraic-type  attack,  known  as  the  cube 
attack,  against  wireless  networks.  We  implemented  the  cube  attack  in  a  wireless 
system,  namely  Bluetooth.  We  formally  modeled  the  encryption  function  of  the 
EO  Bluetooth  key  generator  and  automated  the  process  of  the  cube  attack  on  EO 
of  the  factorization  process  (preprocessing  phase).  In  this  phase,  an  attacker 
finds  as  many  maxterms  (a  term  of  the  encryption  function  such  that  its  co-factor 
is  a  linear  nonconstant  polynomial)  as  possible.  In  the  actual  attacking  phase,  the 
attacker  solves  the  system  of  linear  equations  through  a  chosen  plaintext  attack 
and  reveals  useful  information  about  the  cryptosystem.  The  number  of  operations 
needed  in  the  computational  process  is  2^' ‘and  is  considerably  less  than  that  of 
similar  algebraic  types  of  attacks,  but  it  is  limited  to  the  output  of  the  LFSRs  at 
any  clock  cycle.  The  main  contribution  of  this  thesis  is  that  if  the  attacker  is  an 
unauthorized  participant  of  the  security  protocol,  then  by  manipulating  some  of 
the  output  bits  of  the  LFSRs  of  two  arbitrary  clock  cycles  and  intercepting  the 
output  bits  of  the  entire  machine  the  attacker  then  succeeds  in  finding  the  output 
bits  of  the  LFSRs  at  any  clock  tick.  The  most  important  question  that  needs  to  be 
answered  next  is  how  one  can  recover  the  encryption  key  of  EO  after  knowing  the 
output  bits  of  every  LFSR  at  any  clock  that  this  study  provides. 

Building  on  these  results,  the  next  stage  of  the  research  is  to  validate  our 
integration  of  the  cube-type  attack  into  the  Bluetooth  encryption  protocol.  As 
demonstrated  in  this  and  other  research  we  cited  in  this  thesis,  one  needs  to 
understand  and  formally  evaluate  the  strength  of  a  given  cryptosystem,  be  able 
to  evaluate  its  implementation  to  ensure  that  there  are  no  flaws  at  that  stage.  The 
cryptosystem  and  the  protocol  it  uses  may  be  good  but  if  poorly  implemented  will 
most  likely  be  untrustworthy. 
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I.  INTRODUCTION 


A.  MOTIVATION 

Nowadays,  there  is  great  interest  from  the  United  States  Department  of 
Defense  to  move  from  wired  communication  systems  to  wireless  systems.  How 
to  secure  wireless  cryptosystems,  which  are  known  to  have  suffered  malicious 
attacks,  is  a  question  this  thesis  is  attempting  to  answer.  Sun-Tzu  stated  (400- 
320  BC,  translated  Giles,  1910)  “If  you  know  the  enemy  and  know  yourself,  you 
need  not  fear  the  result  of  a  hundred  battles.”  As  in  that  saying,  there  is  a  need  to 
see  and  understand  the  mathematical  theory  hidden  in  modern  types  of  attacks, 
and  know  how  effective  they  are  compared  to  the  traditional  exhaustive  key 
searches  in  wireless  security  protocols  (e.g.,  Bluetooth,  Wi-Fi,  Wi-Max). 
Bluetooth  is  a  well-established  wireless  communications  standard  (IEEE 
802.15.1)  between  different  devices  (e.g.,  personal  computers,  laptops,  mobile 
phones)  that  operates  over  a  short  range  and  at  low  power.  For  efficiency 
reasons,  such  as  speed,  size  and  power  consumption,  the  system  uses  a  stream 
cipher  encryption  (EO)  instead  of  the  widely-used  block  ciphers.  Four  linear 
feedback  shift  registers'!  (LFSRs)  are  used  in  the  algorithm,  and  a  nonlinear 
Boolean  function  combines  their  output.  The  plaintext  is  then  combined  with  the 
output  key  stream  using  an  exclusive  OR  (XOR)  producing  the  ciphertext.  Wired 
Equivalency  Privacy  (WEP)  IEEE  802.11  is  another  security  protocol  for  Wi-Fi 
networks.  It  provides  authentication  and  encryption.  The  key  component  of  this 
protocol  is  the  commonly  used  stream  cipher  RC4.  IEEE  802.11,  which  has 
questionable  functionality  due  to  the  wireless  packet  network  structure,  provides 
relatively  weak  encryption  and  a  single-way  authentication,  and  has  no  key- 
distribution  mechanisms.  IEEE  802.1 1i  updated  the  previous  protocol  and 


"!  In  digital  circuits,  a  shift  register  is  a  type  of  sequential  logic  circuit  mainly  for  storage  of 
digital  data,  set  up  in  a  linear  fashion,  which  has  its  inputs  connected  to  the  outputs  in  such  a  way 
that  the  data  shifts  down  the  line  when  the  circuit  activates.  A  linear  feedback  shift  register  is  a 
shift  register  whose  input  bit  is  the  output  of  a  linear  function  of  two  or  more  of  its  previous  states 
(from  [23],  p.19). 
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underwent  final  ratification,  providing  much  stronger  forms  of  encryption,  an 
extensible  set  of  authentication  mechanisms,  and  key  distribution  capabilities.  It 
includes  an  Advanced  Encryption  Standard  (AES)  -  based  encryption  scheme. 
World  Interoperability  for  Microwave  Access  (Wi-Max)  is  a  family  of  IEEE  802.16 
standards  that  aims  to  deliver  wireless  data  to  a  large  number  of  users  over  a 
wide  area  at  rates  that  rival  those  of  cable  modems.  There  are  two  schemes  for 
data  encryption  supported  in  the  802.16  standard,  the  Advanced  Encryption 
Standard  (AES)  and  Triple  Data  Encryption  Standard  (3DES).  Both  of  these 
schemes  are  block  ciphers  that  operate  on  one  block  or  chunk  of  data  at  a  time, 
whereas  stream  ciphers  can  act  on  a  single  bit.  AES  handles  a  128-bit  block  of 
data  at  a  time,  and  has  been  shown  to  be  very  fast  and  easy  to  implement. 

This  thesis  will  investigate  from  a  theoretical  perspective  the  effectiveness 
of  several  promising  attacks  against  linear  shift  feedback  registers  (LSFRs)- 
based  ciphers,  precisely  we  will  look  at  correlation,  algebraic,  and  cube  attacks 
implemented  in  Bluetooth  encryption  (128-bit  key  size). 

Correlation  attacks  deal  with  distinguishing  and  recovering  keys  against 
mainly  stream  ciphers.  That  means  that  there  is  a  statistically  biased  relation 
between  the  produced  keystream  and  the  output  of  certain  LFSR  sequences. 
Using  the  notion  of  correlation,  there  is  a  direct  relation  between  the  output  state 
of  an  individual  LFSR  in  the  keystream  generator  and  the  output  of  the  Boolean 
function  that  combines  the  output  state  of  all  LFSRs.  Therefore,  partial 
knowledge  of  the  keystream  (derived  from  the  partial  knowledge  of  the  plaintext) 
is  needed.  In  2004,  Lu  and  Vaudenay  used  a  correlation  attack  and  implemented 
it  on  an  EO  Bluetooth  keystream  generator  by  applying  a  novel  maximum 
decoding  algorithm  based  on  the  Walsh  transform  (a  feature  of  the  Boolean 
functions),  and  succeeded  in  having  key  recovery  of  2^®  operations  after 

2^’ operations  for  precomputation  [1].  One  year  later,  Lu,  Meier  and  Vaudenay 
proposed  the  use  of  conditional  correlation  attacks.  The  term  “conditional 
correlation”  describes  the  linear  correlation  of  the  inputs  conditioned  on  a  given 
sort  output  pattern  of  a  nonlinear  function  with  small  input  size.  Their  attack 
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implemented  in  output  of  the  same  key  generator  EO  of  Bluetooth  and  disclosed 
the  encrypted  key  in  2'*'  operations  using  the  first  24  bits  of  2"'*frames,  thus 
improving  the  previous  results  of  two  of  them  [2],  One  can  also  use  algebraic 
attacks  against  LFSR-based  stream  ciphers.  Algebraic  attacks  consist  of 
expressing  the  whole  cipher  as  a  large  system  of  multivariate  algebraic  equations 
that  can  be  solved  to  recover  the  secret  key.  The  unknowns  in  these  equations 
occasionally  represent  the  bits  of  the  secret  key.  A  major  parameter  that 
influences  the  complexity  of  such  attacks  is  the  degree  of  the  underlying 
algebraic  system.  When  the  transition  is  linear,  any  keystream  bit  can  be 
expressed  as  a  function  of  degree  deg(/)  in  the  initial  state  bits.  However, 
despite  the  high  degree  of  the  filtering  Boolean  function  that  is  used  in  the 
keystream  generator,  such  an  attack  can  be  applied  as  soon  as  there  are 
relations  of  low  degree  between  the  output  and  the  inputs  of  the  Boolean 
function.  Armknecht  proposed  a  scheme  that  solved  the  EO  cryptosystem  in 

operations  [3]. 

Dinur  and  Shamir  described  a  type  of  algebraic  attack  called  the  cube 
attack  [4].  The  active  assault  on  a  cryptosystem  requires  the  attacker  to  extract 
useful  information  from  the  bit  stream.  By  skillfully  choosing  some  publicly 
settable  bits,  the  attacker  may  be  able  to  replace  the  polynomial  that  represents 
the  encryption  function  by  a  system  of  linear  equations.  Shamir  and  Dinur  used 
this  approach  on  the  Trivium  cipher  and  recovered  the  encryption  key  in  2'“^  bit 
operations,  which  is  the  best  result  in  the  literature  so  far.  Zhang  et  al.  extended 
Shamir  and  Dinar’s  approach  to  other  polynomials  /  from  where  they  could  find 
a  lower  degree  polynomial  g ,  so  that  the  product  fg  also  has  a  lower  degree. 
They  applied  this  attack  on  the  Toyocrypt  cipher  with  re-synchronization, 
breaking  the  stream  cipher  in  a  few  milliseconds  on  an  ordinary  PC  [5]. 

All  of  the  above-mentioned  attacks  are  based  on  the  cryptographic 
features  of  Boolean  functions  that  have  been  an  object  of  study  in  modern 
cryptography  for  about  the  last  thirty-five  years. 
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B.  THESIS  OUTLINE 


The  thesis  consists  of  seven  chapters.  In  Chapter  I,  the  author  gives  a 
general  outline  of  the  work,  describes  the  motivation  for  this  research,  and 
defines  the  problem  that  will  be  investigated.  In  Chapter  II,  the  author  describes 
the  mathematical  background  necessary  for  the  reader  to  understand  the 
material  that  follows,  the  tools  the  author  will  use  (Boolean  functions,  security 
protocol  of  EO,  etc.),  and  the  basic  definitions  of  cryptosystems  and  wireless 
security.  In  Chapter  III,  the  author  examines  the  correlation  and  algebraic  attacks 
and  their  theoretical  background.  In  Chapter  IV,  the  author  details  the  cube 
attack  concept  and,  in  Chapter  V,  he  models  the  Bluetooth  keystream  generator 
EO.  In  Chapter  VI,  the  author  details  the  tool  he  created  in  order  to  automate  the 
cube  attack  and  analyzes  the  results.  The  author  ends  this  thesis  with  the 
conclusions  reached  from  the  research  and  provides  future  recommendations. 

C.  THE  PROBLEM 

In  recent  years,  there  has  been  great  interest  from  the  Department  of 
Defense  on  substituting  ground-wired  networks  (LANs)  with  short-range 
(Bluetooth)  or  medium-range  (Wi-Fi)  wireless  networks.  Several  types  of  attacks 
have  been  successful  at  defeating  the  cryptosystems  used  by  IEEE  802.11  and 
802.16  technologies,  leading  one  to  ask  the  question:  how  much  trust  should  we 
place  in  the  wireless  encryption  protocols? 

D.  ACCOMPLISHMENTS  OF  THIS  STUDY 

We  formally  modeled  the  encryption  function  of  EO  Bluetooth  key 

generator  and  automated  the  factorization  process  (preprocessing  phase)  of 

cube  attack  on  EO.  We  applied  the  cube-type  attack  and  reduced  the  search 

space  for  the  output  of  the  LFSRs  of  EO,  a  hard  task  since  Bluetooth  EO  uses  a 

more  complex  encryption  algorithm  than  the  ciphers  implemented  so  far.  The 

main  contribution  of  this  thesis  is  that  under  the  assumption  that  the  attacker  is 

an  unauthorized  participant  of  the  security  protocol,  then  by  manipulating  some 

of  the  output  bits  of  the  LFSRs  of  two  arbitrary  clock  cycles  and  intercepting  the 
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output  bits  of  the  entire  encryption  machine  the  attacker  then  succeeds  in 
revealing  the  output  bits  of  the  LFSRs  at  any  clock  cycle. 
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II.  BACKGROUND 


A.  COMPUTER  SCIENCE 

1.  Security  Protocol 

Definition  2.1:  “A  security  protocol  is  a  sequence  of  messages 
between  two  or  more  parties  in  which  encryption  is  used  to  provide 
authentication  or  to  distribute  cryptographic  keys  for  new 
conversations.”  [6] 

The  majority  of  the  security  protocols  in  computer  networks  are  based  on 
cryptography,  which  is  why  they  are  also  called  cryptographic  protocols.  In  order 
to  establish  a  secure  communication  there  are  a  sequence  of  steps  the 
participating  parties  must  perform.  These  steps  include  the  transmission  of  a 
message,  possibly  encrypted,  participating  names,  cryptographic  keys,  random 
numbers,  timestamps,  ciphertexts  and  concatenation  of  these  components.  A 
security  protocol  aims  to  achieve  certain  goals  upon  its  completion,  like  verifying 
the  authenticity  of  the  sender,  ensuring  the  integrity  of  the  transmitted  message, 
protecting  the  confidentiality  of  the  header  and  contents  of  the  message,  and 
providing  for  nonrepudiation.  A  security  protocol  is  said  to  be  flawed  if  it  fails  to 
achieve  its  claimed  goals  [7]. 

2.  Wireless  Security 

Security  is  an  important  concern  in  wireless  networks  because  the  radio 
frequency  (RF)  transmissions  can  be  monitored  by  malicious  people.  A 
cryptosystem  is  a  system  used  to  encrypt  a  plaintext  into  ciphertext  and  at  the 
other  end  to  decrypt  a  ciphertext  into  plaintext.  The  cryptosystem  is  also  used  to 
ensure  the  four  main  goals  of  information  security;  confidentiality,  integrity, 
authenticity  and  norepudiation. 

3.  Cryptosystem 

Definition  2.2:  “A  cryptosystem  is  a  five-tuple(P,C,A:,£',D),  where 
the  following  conditions  are  satisfied: 
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1 .  P  is  a  finite  set  of  possible  plaintexts. 

2.  Cis  a  finite  set  of  possible  ciphertexts. 

3.  K  \s  the  keyspace,  which  is  a  finite  set  of  possible  keys. 


4.  For  each  ke.^(i.e.,  for  each  bit  that  belongs  to  the 
keyspace)>  there  is  an  encryption  rule  and  a  corresponding 
decryption  rule  .  Each  e^\P  and  d^\C  are  functions 

such  that  d^.  (x))  =  X  for  every  plaintext  element  x  e  P .”  [8] 

The  main  property  of  all  the  above  is  the  fourth  property,  where  if  a 
plaintext  x  is  encrypted  using  an  encryption  key  ,  the  resulting  ciphertext  will 

be  decrypted  using  a  decryption  key  d^,  revealing  the  original  plaintext  x. 

For  our  work,  we  choose  P  =  C  =  Z"  where  m  is  the  length  of  the  plaintext 
to  be  enciphered  and  is  the  set  of  remainders  when  dividing  integers  by  2. 
Thus,  Zjhas  two  elements  {0,1}  and  is  called  the  set  of  integers  modulo  2. 
is  the  set  of  polynomials  whose  coefficients  are  integers  modulo  2. 

4.  Wireless  Threats 

In  common  terms,  a  hacker  is  a  person  who  legally  or  illegally  gains 
access  to  a  computer  system  to  make  changes  to  the  system  or  to  reveal 
security  flaws  [9,  p.  379]. 

We  consider  three  types  of  hackers.  The  whitehat  hacker  is  a  person  that 
is  hired  from  a  company  to  find  the  flaws  in  a  computer  system.  A  blackhat 
hacker  is  a  person  who  illegally  accesses  a  computer  system.  There  are  also 
greyhat  hackers,  namely  something  in  the  middle,  persons  who  access  a 
computer  system  without  authorization  to  make  changes  mostly  for  publicity 
purposes  and  to  gain  popularity  [9,  p.  393]. 

Some  common  types  of  attacks  on  wireless  systems  are  discussed  below 
[10].  In  traffic  analysis  or  passive  eavesdropping,  an  adversary  intercepts  the 
traffic  in  a  wireless  local  area  network  (WLAN).  Active  eavesdropping  occurs 
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when  the  adversary  inserts  a  message  into  the  network,  and  from  the  response 
of  the  system  derives  useful  information  about  the  system  such  as  response 
time.  There  is  also  message  deletion  on  a  network,  which  implies  full  control  of 
the  network  by  the  attacker.  Next  is  session  hijacking,  where  the  adversary  might 
hijack  a  valid  session  and  put  authentication  between  legitimate  users  in  dispute. 
There  is  also  the  man-in-the-middle  attack,  where  the  adversary  must  participate 
in  the  communication  between  the  target  parties.  Before  this  happens,  the 
adversary  spoofs  the  authentication  process  of  both  parties  and  then  breaks  the 
connection  between  the  two  parties.  The  adversary  pretends  that  he  is  the 
legitimate  one  of  the  two  associated  users. 

The  Diffie-Hellman  algorithm  is  vulnerable  to  the  man-in-the-middle-attack, 
because  no  authentication  occurs  before  the  two  parties  exchange  the  secret 
keys  [11].  Finally,  denial-of-service  (DoS)  attacks  have  as  a  goal  to  deny  the 
services  that  the  target  system  provides.  Denial-of-service  (DoS)  attacks  may  be 
launched  over  the  Internet  to  target  routers,  servers,  and  firewalls.  This  makes 
them  rapidly  use  all  of  their  resources  and  unable  to  provide  further  services. 
There  are  policies  and  enforcement  mechanisms  that  can  be  put  in  place  to 
guard  against  such  attacks,  but  consideration  of  these  is  outside  the  scope  of  this 
thesis. 

From  a  cryptanalysis  point  of  view,  the  most  common  models  of  attack  are 
as  follows: 

1.  Ciphertext-only  attack:  The  adversary  possesses  a  ciphertext, 
possibly  by  intercepting  traffic. 

2.  Known-plaintext  attack:  The  adversary  possesses  a  plaintext  and 
its  corresponding  ciphertext. 

3.  Chosen-plaintext  attack:  The  adversary  has  access  to  the 
encryption  cipher  and  he  can  choose  a  plaintext  and  construct  the  corresponding 
ciphertext,  and  he  can  repeat  this  process  as  many  times  as  he  likes. 
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4.  Chosen-ciphertext  attack:  The  adversary  has  access  to  the 
decryption  cipher  and  he  can  choose  a  ciphertext  and  construct  the 
corresponding  plaintext,  and  he  can  repeat  this  process  as  many  times  as  he 
likes. 

Here,  the  goal  of  the  adversary  is  to  determine  the  secret  key  that  has 
been  used  by  the  cipher.  Correlation,  algebraic  and  cube  attacks,  the  foundations 
of  our  results,  are  detailed  in  the  following  chapters. 

B.  MATHEMATICAL  THEORY 

The  attack  we  have  developed  is  based  on  several  mathematical 
concepts.  Below  we  provide  a  description  of  these.  We  assume  that  the  reader 
has  some  familiarity  with  the  concepts  from  Abstract  Algebra  and  Boolean 
functions. 

At  a  very  high  level,  a  Boolean  function  outputs  a  single  bit  result  (0  or  1) 
for  each  possible  combination  of  values  from  many  Boolean  variables.  The 
algebraic  environment  of  Boolean  functions  is  a  vector  space  (defined  below)  of 
dimension  n  over  the  binary  field.  The  Boolean  output  consists  of  the  bit  values 
{0,1},  with  “XOR”  as  addition  and  “AND”  as  multiplication. 

1.  Vector  Space 

A  field  is  a  set  endowed  with  two  operations,  satisfying  a  plethora  of 
conditions.  We  will  use  mostly  the  binary  field  whose  addition  and 

multiplication  operations  are  defined  as  follows: 

0@0  =  0 
0@1=1©0=1 
1©1  =  0 
0-0  =  0 
l-0  =  0-l  =  0 
1-1  =  1 
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Definition  2.3:  Let  F  be  an  algebraic  field.  A  vector  space  over  F  for  F  - 
vector  space)  consists  of  an  abelian  (commutative)  group  v  under  addition 
together  with  an  operation  of  scalar  multiplication  of  each  element  of  v  by 
each  element  of  ¥  on  the  left,  such  that  for  all  a,bG¥and  a,/^sVthe 
following  conditions  are  satisfied: 

■  aa  eV. 

■  a{ba)  =  (ab)a. 

■  {a+b)a  =  {aa)  +  {ba). 

■  a{a  + fi)  =  {aa)  +  {afi). 

■  la  =  a. 

The  elements  of  v  are  vectors  and  the  elements  of  the  algebraic  field 
Fare  scalars.  When  only  one  field  F  is  under  discussion,  the  reference  to  Fis 
dropped  and  instead  refers  to  a  vector  space  [12],  Specifically,  let  F„be  the 
vector  space  of  dimension  n  over  the  two-element  field  F^ .  For  two  vectors  in  v„ , 
say  a  =  (a^,...,aj  and  b  =  {b^,...,bj,  the  scalar  product  is  defined  as 
a-b  =  ap^®...®aj)^,  where  the  multiplication  and  the  addition  ©  are  over  F2 

(This  operation  should  not  be  confused  with  the  direct  product  of  vector  spaces). 
The  operation  *  on  vectors  is  defined  by  a*b  =  (afi^,...,a„bj . 


n-times 


When  one  is  dealing  with  the  vector  space  (where  ¥"  =F2xF2x...xF2 


represents  the  set  of  all  n-tuples  of  O’s  and  Ts)  then  the  following  operations 
apply: 

■  Addition 

(Vi,V2,V3,...,vJ  ©  (Wj,  W2,  W3,...,  Wj  =  (Vj  ©  Wj,V2©,V3  ©  ©  wj 

■  Muitipiication 

■  Scaiar  Muitipiication 
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(Vi,V2,V3,...,vJ-(Wi,W2,W3,...,W„)  =  VjWi  ©V2W2  ©V3W3  ©...©V„W„ 

■  Vector  Intersection 

(Vi ,  V2 ,  V3 , V  J  *  (Wi ,  ^2 ,  W3 , wj  =  (ViWi ,  V2 ^2 ,  V3  W3  , V„  wj 

2.  Vector  Space  and  Correspondence  of  the  Finite  Fieid 

In  abstract  algebra,  a  finite  field  is  any  field  with  a  finite  number  of 
elements.  For  every  prime  p  and  positive  integer  n  there  is  exactly  one  finite  field 
(up  to  isomorphism)  of  order  p" .  The  field  GF(2")  is  usually  referred  as  the 
Galois  field  of  order  2"  [12,  p.  300]. 


Definition  2.4:  A  polynomial  is  primitive  if  it  is  the  minimal  polynomial  of  a 
primitive  element  of  the  finite  extension  field  GFip").  In  other  words,  a 
polynomial  P(X) ,  with  coefficients  in  GF(p)  =  Z/  pZ,  is  a  primitive 

polynomial,  if  it  has  a  root  a  in  GFip")  such  that  |o,l,a,a^a^...,a^” '|  is 

the  entire  field  GF(p")  and  P(X)  is  the  smallest  degree  polynomial 
having  a  as  root  in  GF(p") . 

Any  finite  field  of  dimension  n  over  GF(p)  can  be  constructed  by  taking  a 
primitive  polynomial  p  which  is  of  degree  n  (p  is  primitive  and  degP(X)  =  n). 

For  the  Galois  field  GF(2)  we  have  the  correspondence  GF{2")  =  ¥" : 

GF{2’')  =  ^^^  =  \a,  +  a,X  +  ...  +  a  ,  a.  e  Fj. 

<P>  ^  ’ 

Given  such  a  representation  of  GF(2”)by  a  polynomial  P,  to  every  element 
Gq +aiX  +  ...  +  a„_jX" '  we  associate  the  vector  =  V^. 

This  does  not  mean  that  both  structures  are  the  same;  rather,  it  means  that  there 
is  a  bijective  correspondence  between  those  two  structures. 
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Example  2.5: 


Assume  one  is  working  in  GF(2^),thus  GF{2^)  =  =(o,l,...a^'  '' 

<P>  ^ 

One  has  to  use  a  primitive  polynomial  of  degree  3,  say  p  =  x^  +x  +  l. 


GFi2^) 

V, 

0 

000 

1  0 

l  =  a 

001 

a 

010 

100 

=  a  +  1  (1) 

011  =  010  +  001 

a‘^  =a^  +  a  (2) 

110  =  100  +  010 

=a^  +a  +  \ 

111  =  100  +  010  +  001 

=a^  +\ 

101  =  100  +  001 

a’  =1 

001 

Table  1 .  Correspondence  between  Finite  Fields  and  Vector  Spaces 
Observations: 

(1) a^+a  +  l  =  0^a^=a  +  l  since  a  is  a  primitive  element. 

(2)  a'^  =a{a^)  =  a{a  +  \)  =  a^  +a',  continue  in  that  fashion  up  to  the  element  where 
there  is  repetition  {a  ). 
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3. 


Boolean  Function 


Definition  2.6:  A  Boolean  function  f  in  n  variables  is  a  map  from  a  vector 
space  of  dimension  n  over  to  the  two-element  field  F^.  The  (0,1) 
sequence  generated  by  the  Boolean  function  f  is  defined  by 
(/(vo),/(vi),...,/(v2„  i))  and  is  called  the  truth  table  of  f,  where 
Vq  =(0,...,0,0),Vj  =(0,...,0,1),...V2„  j  =(1,...,1,1),  ordered  lexicographical.  The 

(1,-1)  sequence  of  f  is  defined  as  ‘^)  - 

Any  function  that  is  defined  in  a  vector  space  over  a  finite  field,  in  particular  in 
Fj  is  in  fact  a  polynomial  [13].  The  idea  is  that  if  one  defines  a  function  that  takes 

any  vector  into  an  output,  then  by  taking  the  degree  of  the  polynomial  high 
enough,  one  can  find  appropriate  coefficients  so  that  particular  polynomial  will 
match  the  dataset. 

‘A  Boolean  function  on  v„  can  be  expressed  as  a  polynomial  in 
(x^  -Xi,...,x/ -xj;  the  algebraic  normal  form  (ANF)  is 

f(x)  =  Y,  cX'  •  •  •  X  ’  where  e  F^  and  a  =  (a^,...,a„ ).  Moreover,  c^=Y  fX 

x<a 

where  x<a  means  that  x.  <  for  all  !</<«.  The  algebra  of  all  Boolean  functions 
on  v„  will  be  called  B„  ”  [13,  pp.  5-6]. 

The  simplest  Boolean  functions  are  the  constant  functions  0  and  1. 


Example  2.7: 

Assume  n  =  3 ,  thus  working  on  K, . 

Let  / :V^  ^Fj :  f(x^,x2,x^)  =  x^x2®x^  be  the  Algebraic  Normal  Form  (ANF)  of  a 
Boolean  function  f. 
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V, 

/ 

(Lexicographical  Order) 

Labeling  of  values: 

X3X2X1 

000 

0 

001 

0 

010 

0 

oil 

1 

100 

1 

101 

1 

110 

1 

111 

0 

Table  2.  Truth  Table  of/ 


Thus,  the  Boolean  function  has  the  following  truth  table  (Table  2):  /  =  00011110. 
One  can  infer  the  ANF  of  /  having  the  sequence  of  bits  of  that  Boolean  function 
and  vice  versa. 

Definition  2.8:  An  affine  function  I  on  V  is  a  function  that  takes  the 
form:  =  a-x@ c  =  a^x^  ©...©a^x^  ©c, 

where  a  =  {a^,a^,...,a„)eV^,c  If  c  =  0,  then  l^oi=lJ  is  a  linear  function 
[13,  p.  6]. 

Definition  2.9:  Let  A  be  a  set.  If  there  are  exactly  n  distinct  elements  in 
A  where  n  is  a  nonnegative  integer,  we  say  that  A  is  a  finite  set  and  n  is 
the  cardinality  of  A .  The  cardinality  of  A  is  denoted  by  |  A  I  [14]. 

Lemma  2.10:  The  number  of  all  affine  functions  in  n  variables  is  \A\  =  2"^' . 
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Proof:  By  definition,  an  affine  function  depends  on  n  +  1  parameters 
a^,a^,...,a^,c  each  of  which  taking  values{0,l}.  Therefore,  the  number  of  such 

choices  is  2"^’  The  set  of  all  affine  functions  is  a  small  class  of  Boolean 
functions. 


Additionally,  one  should  note  that  the  set  of  all  linear  functions  has  |tJ  =  2", 
since  c=0. 

■ 

Lemma  2.11:  The  number  of  all  Boolean  functions  in  n  variables  is 


Proof:  By  definition,  a  Boolean  function  f  is  a  mapping:  / :  X*'"  . 

Since  the  cardinality  of  the  set  for  all  linear  functions  is  2" ,  the  following  assertion 
holds  for  all  functions: 

=2^  and  so  |5^|  =  2^  . 


Example  2.12: 

For  n  =  A,  the  number  of  Boolean  functions  is  2^"  =2'*’.  For  n  =  6,  the 

number  of  Boolean  functions  is  2^"  =  2^ .  As  can  be  seen  from  these  examples, 
the  class  of  Boolean  functions  becomes  extremely  large.  From  a  cryptographic 
point  of  view,  one  wants  to  count  the  elements  of  such  a  set  because  if  the  set  is 
small,  then  one  can  implement  an  exhaustive  approach  and  do  whatever 
analysis  one  wants  to  do. 

4.  Hamming  Weight  and  Distance 

In  coding  theory,  the  Hamming  distance  between  (two)  bit  strings  of  the 
same  size  is  the  number  of  bits  where  they  differ.  The  Hamming  distance  is  a 
metric  and  represents  the  minimum  number  of  necessary  substitutions  to 
transform  a  bit  string  into  another. 
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For  example,  if  /  =  101001101  and  g  =  01 101 1100,  then  their  Hamming  distance 
is  d{f,g)  =  A.  The  Hamming  weight  of  the  string  is  the  number  of  Ts  it  has,  its 
distance  from  the  0-vector.  Thus,  in  the  previous  example  wt{f)  =  5,wt{g)  =  5 . 

The  Hamming  weight  of  a  Boolean  function  f  is  the  number  of  Ts  in  the  truth 
table  of  / .  More  formally: 

Definition  2.13:  The  Hamming  weight  of  a  vector  x  e  ,  denoted  by 
wt(x) ,  is  the  number  of  1  ’s  in  the  vector  x .  For  a  Boolean  function  on  , 
let  =  {xeT„ :  f{x)  =  l}be  the  support  of  f .  The  Hamming  weight  of  a 
function  f  is  the  Hamming  weight  of  its  truth  table,  that  is  the  cardinality  of 
/■‘(I) or  equivalently  >vr(/)  =  |q^| .The  Hamming  distance  between  two 
functions  f,g:V^^¥2,  denoted  by  d(f,  g)  is  defined  as: 

5.  Walsh  Transform 

The  Walsh  or  Handamard  transform  is  a  type  of  discrete  Fourier  transform 
of  a  Boolean  function.  Using  the  Walsh  transform,  correlations  in  combining 
functions  may  be  identified. 

Definition  2.14:  “The  Walsh  transform  of  a  function  f  on  a  vector  space 
V^of  dimension  n  over  (with  the  values  of  f  taken  to  be  real  numbers 
0  and  1)  is  the  map  W{f):V„  ^  R ,  defined  by 

»'(/)(»')  =Z/W(-1)“  (2.1) 

X^V„ 
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This  defines  the  coefficients  of  f  with  respect  to  the  orthogonai  basis  of 
the  group  characters Q^{x)  =  {-\y ;f  can  be  recovered  by  the  inverse  Waish 
transform: 

/W  =  2-"XW'(/)(w)(-l)"  (2.2) 

The  Waish  spectrum  of  f  is  the  iist  of  2"  Waish  coefficients  given  by  (2. 1) 
as  w  varies"  [13,  p.  8]. 
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III.  CORRELATION  AND  ALGEBRAIC  ATTACKS 


A.  INTRODUCTION 

In  recent  years  where  communication,  computer-based  systems  have 
been  commonly  used  in  both  commercial  and  military  environments,  stream 
ciphers  remain  dominant  since  a  stream  cipher  provides  speed  to  the  encryption 
process  and  allows  synchronization  between  data  and  voice  in  broadband 
channels.  Short-range  (Bluetooth)  and  medium-range  (Wi-Fi)  wireless  networks 
use  stream  ciphers  to  provide  authentication  and  data  encryption  between  a  host 
and  wireless  access  points.  Bluetooth  uses  an  EO  stream  cipher  and  WEP  uses 
RC4  stream  cipher  that  provides  weak  encryption.  Wi-Fi  uses  the  IEEE  802.11  i 
(Wide  Protected  Access  2-  WPA2)  protocol  for  encryption.  WPA2  uses  the  block 
cipher  advanced  encryption  standard  (AES).  World  interoperability  for  microwave 
access  (Wi-Max)  is  an  IEEE  802.16  standard  that  aims  to  deliver  wireless  data 
fast  and  over  a  long  range.  Wi-Max  uses  a  combination  of  AES  and  3DES  (data 
encryption  standard).  In  this  chapter,  we  present  the  foundations  of  correlation 
and  algebraic  attacks.  We  review  the  basic  features  of  these  attacks  and  discuss 
the  results  of  the  implementation  of  these  attacks  on  stream  ciphers  used  in  a 
wireless  environment  such  as  Bluetooth. 

B.  PROPERTIES  OF  BOOLEAN  FUNCTIONS 

The  Boolean  functions  are  polynomials  of  n  variables  and  bit  output,  are 
used  in  several  cryptographic  applications  in  wireless  systems  and  must  satisfy 
several  cryptographic  criteria.  Although  the  quality  of  these  properties  depends 
on  the  specific  cryptosystem  that  is  implemented,  the  properties  that  a  Boolean 
function  must  focus  on  are  balance,  nonlinearity,  correlation  immunity,  and  high 
algebraic  degree,  just  to  mention  a  few. 
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1. 


Balance  of  Boolean  Functions 


A  Boolean  function  is  balanced  if  its  output  is  equally  distributed,  which 
means  that  its  Hamming  weight  is2"  ' ,  where  n  is  the  number  of  variables. 

2.  Nonlinearity 

The  nonlinearity  of  a  Boolean  function  /,  N^,  is  defined  as  the  minimum 

Hamming  distance  between  the  function  itself  and  every  single  function  that 
belongs  to  the  set  of  the  affine  Boolean  functions.  Thus, 

=minJ(/,0), 

where  A„  is  the  class  of  all  affine  functions  on  vector  space  V„  [13,  p.  7]. 

3.  Correlation  and  Algebraic  Immunity 

A  Boolean  function  /  has  correlation  immunity  of  order  k  if  its  values  are 
statistically  independent  of  any  subset  of  k  input  variables.  Correlation  is  a  useful 
concept  in  cryptanalysis,  because  it  may  reveal  to  an  attacker  how  an  encryption 
function  /behaves  if  one  slightly  changes  the  input.  Furthermore,  a  Boolean 
function  with  low-order  degree  of  correlation  immunity  is  more  susceptible  to 
attacks  on  the  system  than  a  Boolean  function  of  high-order  degree  with 
correlation  immunity.  Siegenthaler  in  [15]  showed  that  a  high-algebraic  degree 
will  restrict  the  maximum  possible  correlation  immunity  when  the  correlation 
immunity  k  of  a  Boolean  function  /  of  degree  d  and  n  variables  for  a  given  set  of 
input  variables  satisfies  the  relation  k  +  d  <n. 

Definition  3.1:  An  annihilator  of  a  polynomial  /is  a  nonzero  polynomial 
g,  such  that  fg  =  0. 

The  above  definition  motivates  the  concept  of  algebraic  immunity  ^/(/)of  a 
Boolean  function  /  of  degree  d  and  of  n  variables.  AI{f)\s  the  least  value  of 
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d  such  that  either  /  or  /©I has  an  annihilator  of  degree  d.  In  other  words, 
given  /and  g  of  minimum  degree  d,  such  that  fg  =  0  or  (/©l)g  =  0,  then  the 
algebraic  immunity  is  d . 

Example  3.2: 

Assume  f{x^,x2,x^,x^)  =  x^x2x^x^  and  g(x^,x2,x^,x^)  =  x^®  X2®  x^®  x^ ,  then 

fg  =  XjX2X3X4  ©  XJX2X3X4  ©  XjX2X3X4  ©  XJX2X3X4  =  0  ,  SinCe  X^X^  =X2,X2X2  =-^,-^4X4  =X4. 

Notice  that  /  is  of  degree  4  with  four  variables  whereas  g  is  of  degree  1 . 


C.  CORRELATION  ATTACKS 

Correlation  and  fast  or  conditional  correlation  attacks  [1],  [2]  use  a  biased 
relation  between  keystream  and  certain  LFSR  output  sequences  that  have  to  be 
found.  A  correlation  attack  is  a  probabilistic  approach  of  attacking.  When  an 
attacker  has  access  to  the  output  of  the  LFSRs  of  a  cipher  of  a  cryptosystem  and 
the  output  of  a  Boolean  function  that  combines  the  outputs  of  all  the  LFSRs,  then 
he  may  find  the  initial  values  of  the  LFSRs  by  simply  guessing  the  initial  values. 
The  following  example  illustrates  the  correlation  attack  process. 

Example  3.3: 

Suppose  that  a  keystream  generator  consists  of  three  LFSRs,  say  x,y,z, 
of  lengths  three,  four,  and  five  respectively.  Assume  that  the  combiner  Boolean 
function  is  of  the  form: 

fix,y,z)  =  xy®yz®z 

Then,  the  initial  value  of  the  key  must  be  12  =  3+4+5  bits  long. 

Suppose  that  the  initial  values  of  the  LFSRs  are  x  =  011,j  =  0101,z  =  11100,  and 
for  bits  /  =  0,1, 2, ...23  the  following  evaluations  hold: 
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X.  =011100101110010111001011 
=010110010001111010110010 
z.  =  1 11000110111010100001001 

yt,  =111100100110010110001011 


where  ^.is  the  keystream. 

The  truth  table  of  the  combined  Boolean  function  /  is  of  the  following  form: 


X 

y 

z 

f 

0 

0 

0 

0 

0 

0 

1 

1 

0 

1 

0 

0 

0 

1 

1 

0 

1 

0 

0 

0 

1 

0 

1 

1 

1 

1 

0 

1 

1 

1 

1 

1 

where/  =  01000111 . 

By  comparing  the  columns  of  variables  x,  y  with  f  one  can  easily  observe  that 
/(x,  j,z)  =  xwith  probability  p{f  =  x)  =  3/4  and  f{x,y,z)  =  z  with  probability 
P(f  =  z)  =  3/4.  Assume  that  the  attacker  has  access  to  the  following  keystream 
table: 

yt.  =111100100110010110001011 

The  attacker  is  trying  to  find  the  initial  values  of  the  LFSRs  and  he  guesses  that 
x  =  lll,  and  he  then  generates  the  first  24  bits  of  xand  compares  it  to  as 
follows: 
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X,  =111001011100101110010111 
yt.  =111100100110010110001011 

Comparison  of  the  two  shows  that  only  12  out  of  24  bits  match  exactly,  so  the 
question  is  this:  can  an  attacker  make  a  better  guess?  If  the  attacker  guesses 
x  =  011  and  he  then  generates  the  first  24  bits  of  xand  compares  it  to  A:.,  he  will 
find  21  out  of  24  bits,  which  is  a  better  match,  so  the  attacker  has  found  the  initial 
values  of  x  as  seen  below: 

X.  =011100101110010111001011 
A:.  =111100100110010110001011 

If  the  n  LFSRs  have  lengths  then  the  correlation  attack  needs 

2"“  ' +2”‘  ' +...  +  2"" '  'effort,  which  is  much  less  than  the  work  required  for  the 
exhaustive  key  search  that  is  '  ' . 

The  main  derivatives  of  correlation  attacks  are  fast  correlation  attacks  and 
conditional  correlation  attacks.  Lu  and  Vaudenay  [1]  in  2004  introduced  a  fast 
correlation  attack  and  implemented  it  in  a  Bluetooth  EO  keystream  generator 
(Chapter  V  details  an  EO  keystream  generator).  Despite  the  fact  that  correlations 
of  EO  have  been  discussed  but  only  for  a  short  sequence  of  bits,  Lu  and 
Vaudenay  formulated  a  powerful  computation  method  of  correlations  using  a 
recursive  expression  based  on  the  maximum  likelihood  decoding  (MLD) 
algorithm  by  means  of  a  fast  Walsh  transform  (FWT).  In  order  for  their  attack  to 
succeed,  they  built  a  distinguisher  for  EO  based  on  the  largest  bias  they  found. 
Their  best  result,  as  it  concerns  EO,  is  limited  to  2”  operations  for  precomputation 
and  2^“*  operations  for  the  actual  keysearch. 

The  conditional  correlation  attack  takes  advantage  of  the  linear  correlation 
of  the  inputs  conditioned  on  a  known  output  pattern  of  a  particular  nonlinear 
function  and  was  proposed  by  Lu,  Meier  and  Vaudenay  in  2005.  The  best  result 
that  they  obtained  on  a  Bluetooth  EO  keystream  generator  was  in  2^®  operations 

required  the  first  24  bits  of  2^^  *  frames  [2]. 
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D.  ALGEBRAIC  ATTACKS 

At  a  very  high  level,  algebraic  attacks  on  stream  ciphers  based  upon 
LFSRs  recover  the  secret  key  by  solving  an  over-defined  system  of  multivariable 
algebraic  equations.  One  successfully  does  so  by  exploiting  multivariable 
relations  involving  keybits  and  output  bits,  this  process  becomes  more  efficient 
once  relations  of  low  degrees  can  be  found.  The  idea  of  algebraic  attacks  is 
based  on  the  capability  of  an  attacker  to  solve  a  system  of  nonlinear  multivariable 
equations  of  low  degree.  Courtois  and  Meier  introduced  algebraic  attacks  [16]  in 
2003.  Algebraic  attacks  have  been  successful  in  breaking  some  keystream 
generators  like  Toyocrypt  and  LILI  128  by  drastically  reducing  the  computation 
time  needed.  The  key  idea  is  to  generate  low-degree  equations  by  multiplying  the 
initial  equations  by  well-chosen  multivariable  polynomials.  The  basic  methods 
used  to  solve  the  derived  system  of  equations  are  the  Grobner  basis  algorithm  or 
linearization  methods  like  extended  linearization  (XL)  [17]. 

Courtois  and  Meier  introduced  three  scenarios  (S3a,  S3b  and  S3c)  under 
which  low-degree  relations  may  exist  in  order  to  implement  algebraic  attacks 
[18]. 

■  S3a  -  assume  that  there  is  a  function  g  of  low  degree  such  that 
^?i0and  ^is  a  low-degree  function,  where  f  is  a  Boolean  encryption 
function 

■  S3b  -  assume  that  there  is  a  function  g  of  low  degree  such  that  fg  =  0 , 
where  f  is  a  Boolean  encryption  function 

■  S3c.  assume  that  there  is  a  function  g  of  high  degree  and  f  is  of  high 
degree,  such  that  fg^O  and  ^  is  of  a  low-degree  function,  where  f  is  a 
Boolean  encryption  function 

Meier,  Pasalic  and  Carlet  [19]  described  a  method  to  find  all  possible  annihilators 
of  a  given  Boolean  function  f  and  an  algorithm  which  determines  whether  a 
Boolean  function  of  n  variables  has  low  algebraic  immunity. 


24 


Several  algorithms  have  been  introduced  that  assist  in  reducing  the 
complexity  of  solving  systems  of  multivariable  equations,  but  there  is  no  silver 
bullet,  since  Garey  and  Johnson  [20]  indicate  that  solving  such  systems  of 
multivariate  polynomial  equations  is  a  nonpolynomial  (NP)-hard  problem.  The 
classical  algorithm  for  solving  such  a  system  of  equations  is  Buchberger’s 
algorithm,  which  transforms  the  polynomial  equations  to  a  Grbbner  basis  [21],  A 
Grobner  basis  is  a  set  of  multivariate  polynomials  that  has  the  property  of 
Gaussian  elimination  (one  may  solve  one  variable  at  a  time).  Every  set  of 
polynomials  can  be  transformed  into  a  Grobner  basis.  The  solution  to  a  Grobner 
basis  is  the  same  as  for  the  original  equation.  The  linearization  algorithms,  like 
XL,  have  the  following  steps: 

■  Find  an  over-defined  equation 

■  Replace  each  monomial  with  a  new  variable 

■  Solve  the  new  system  of  equations  as  a  linear  system 


Example  3.4: 

Assume  the  following  system  of  equations  : 


Xj  ©  Xj  ©  Xj  =  0 
X3  ©  XjXj  ©1  =  0 
XjXj  ©  Xj  =  0 

xf  ©  XjXj  ©  X3  =  0 
X3  ©  xf  ©  Xj  =  0 
xf  ©  Xj  =  0 


By  substitution, Mj  =x^,u2  =XjX2,m3  =xf, 


The  following  system  of  linear  equations  is  then  obtained: 
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which  is  easy  to  solve. 


Xj  ©  Xj  ©  Xj  =  0 

M[  ©  1  “  0 

Mj  ©  Xj  =  0 

M3  ©Mj  ®  ^1  =  0 

Mj  ©  M3  ©  Xj  =  0 
M3  ©  Xj  =  0 


In  2003,  Armchnecht  and  Krause  [22]  applied  algebraic  attacks  in  wireless 
systems  like  Bluetooth  EO  in  which  the  key  could  be  recovered  in  2®*"**  operations 
after  the  adversary  had  knowledge  of  2^^‘’’keystream  bits.  Armchnecht  in  2004, 
by  using  a  precomputation  step,  reduced  the  complexity  to  2^"^ ^'operations  after 
the  adversary  had  knowledge  of  2^^ keystream  bits  [23]. 

E.  CONCLUSION 

In  this  chapter,  the  author  reviewed  some  of  the  recent  types  of  attacks  on 
wireless  systems,  namely  correlation  and  algebraic  attacks.  It  seems  that 
correlation  attacks  are  faster  in  the  computational  process  in  wireless  encryption 
systems,  like  Bluetooth,  which  use  stream  ciphers,  yet  algebraic  attacks  require 
less  data  during  the  preprocessing  phase.  In  the  following  chapters,  the  author 
will  investigate  a  recently  introduced  type  of  algebraic  attack,  the  cube  attack, 
which  will  be  applied  on  the  EO  keystream  generator. 
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IV.  CUBE  ATTACK 


A.  INTRODUCTION 

At  Crypto  Conference  2008,  Shamir  described  a  new  type  of  algebraic 
attack,  the  cube  attack.  In  September  2008,  Dinur  and  Shamir  published  a  paper 
on  eprint  [4]  entitled  “Cube  Attacks  on  Tweakable  Black  Boxes  Polynomials” 
describing  their  approach.  The  cube  attack  is  a  generic  attack  that  may  be 
applied  to  block  ciphers,  stream  ciphers,  or  even  keyed  hash  functions  without 
necessarily  having  knowledge  of  the  internal  structure  of  the  cipher,  as  long  as  at 
least  one  output  bit  can  be  represented  by  a  polynomial  of  low  degree  of  the 
secret  and  public  variables.  Their  approach  is  based  on  the  basic  algebraic 
cryptanalysis  concept,  which  attempts  to  lower  the  degree  of  the  polynomial 
equations  that  represent  a  cryptosystem  by  polynomials  of  lower  degree.  The 
polynomial  equations  used  to  describe  a  cryptosystem  are  variants  derived  from 
a  master  polynomial  by  setting  some  variables  to  any  possible  value  (0  or  1)  and 
then  summing  the  results.  They  call  this  attack  the  cube  attack 

“...since  it  sets  some  public  variables  to  all  their  possible  values  in  n, 
(d -1) -dimensional  Boolean  cubes,  and  sums  the  results  in  each  cube,  where  d 
represents  the  degree  of  the  polynomial  and  n  is  the  number  of  variables." 
[4,  p.  5] 

The  mathematical  concepts  we  use  in  this  chapter  are  Boolean  functions 
(polynomials  of  n  variables  and  bit  output),  factorization  of  multivariable 
equations  to  reveal  linear  co-factors  called  superpolys,  and  solving  a  system  of 
linear  equations. 

B.  BACKGROUND/KEY  OBSERVATIONS  ON  THE  CUBE  ATTACK 

Actually,  the  idea  of  the  cube  attack  is  not  new.  Variations  of  this  attack 
have  been  proposed  in  [24],  [25],  [26].  These  approaches  are  mostly  based  on 
the  use  of  heuristics  that  sum  the  output  values  of  Boolean  cubes  of  publicly- 
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known  variables.  They  are  referred  to  as  chosen-IV  statistical  attacks  and  are 
mainly  applicable  against  stream  ciphers.  However,  the  cube  attack  has  a  more 
wide  range  of  targets  and  may  be  applied  to  block  ciphers. 

In  the  cube  attack,  when  the  master  polynomial  is  random  one  may 
eliminate  with  high  probability  all  of  the  nonlinear  terms  by  using,  for  example,  a 
chosen  plaintext  attack,  thus  reducing  the  complexity  from  polynomial  time  to  a 
system  of  linear  equations  that  is  (relatively)  easy  to  solve.  Dinur  and  Shamir 
implemented  their  cube  attack  on  the  Trivium  stream  cipher  and  recovered  the 
encryption  key  in  2'“^  bit  operations.  The  previous  best-known  attempt  was  made 
by  Fischer,  Khazaei  and  Meier  in  [27],  using  a  chosen-IV  statistical  analysis. 
They  succeeded  in  key  recovery  of  2^^  bit  operations-  The  master  polynomial  was 
in  algebraic  normal  form  (ANF),  which  means  that  it  must  be  in  sum  of  products 
of  variables. 

The  following  theorem  expresses  the  concept  of  the  cube  attack. 

Theorem  4.1:  [from  51  Let  f  (x)  be  a  polynomial  in  n  variables  of 
degreed .  Suppose  0<k<d  and  t  is  the  monomial  x^Xj-.-x^t-i  ■  Suppose  f  can 
be  written  in  the  following  form: 

fix)  =  tP,  (x)  ©  (x), 

where  none  of  the  terms  in  Qfx)  is  divisible  by  t .  Note  that  deg(i^  )<d-k. 


Then,  the  sum  fever  all  (xo,...,x^  i)  e  f/,  f , considered  as  a 


polynomial  in  k  ^  equals 


k 


i^(l,...,l,x„x. 


and  hence  is  a  polynomial  of  degree  at  most  d-k 
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Proof:  Consider  the  following  equality:  /  =  tP,®Q^. 

Then, 

(Xq  ,  —  )^F2  (Xq  )^F2 

However,  ^  =0  since  in  order  for  the  summation  to  be  different  from  0, 

all  Xq  j  =1,  hence 

Furthermore,  g,  is  a  sum  of  monomials  that  are  not  divisible  by  t.  Let  m  be  any 
one  of  these  monomials.  Since  m  is  not  divisible  by  t,  then  x,  is  excluded  for 
0</<A:-l.For  instance,  if  x^  is  excluded,  then  the  sum  across  all 
(xq  ...x,i_j)eF/can  be  further  split  into  two  sums:  the  sum  for  Xg  =0  and  the  sum 
for  Xg  =1  .These  two  sums  are  equal  since  Xgdoes  not  appear  in  m. 

Therefore, 

Z  m  =  0^  Y,  Q,=0.m 

(x„  )eF2  (x„  )eF2 

The  polynomial  /  written  in  the  form  of  Theorem  4.1  is  called  a  master 
polynomial. 

The  following  example  illustrates  Theorem  4.1. 

Example  4.2: 

Consider  given  a  master  polynomial  /  of  degree  d  =  3  and  of  four 
variables,  two  known  variables  (x^Xj)  and  two  unknown  or  secret  variables 
(X3,X4) .  Suppose  /  has  the  following  algebraic  normal  form  (ANF): 
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f{x^,X2,X^,X^)  =  XjX2X3  ©XjX2X4  ©  X2X3X4  ©XjX3X4  ©XjX2  ©  Xj  ©  XjX3  ©  X4  ©  X3  ©  1 ,  (4.2) 


Third-degree  polynomials  with  four  variables  may  have 


^4^ 

+ 

1 

+ 

1 

+ 

1 

^  3  J 

1  2  J 

\oJ 

possible  terms.  From  these  15  terms,  five  terms  are  going  to  be  linear  and  the 
remaining  ten  terms  are  going  to  be  nonlinear.  To  eliminate  all  the  nonlinear 
terms  using  Gaussian  elimination,  and  in  order  to  eliminate  all  the  nonlinear 
terms,  at  least  ten  such  polynomials  of  the  total  2'°  possible  terms,  overGF(2), 


are  needed.  If  the  two  known  variables Xj,x2  are  set  in  all  their  possible  values  (0 


or  1),  then  one  can  construct  2^=4  derived  polynomials,  which  may  not  be 
sufficient. 


Xi 

X2 

Derived  Polynomials 

from  f 

Formal  Sum  over  all  values  of 

(Xi,X2) 

0 

0 

X4  ©  X3  ©  1 

0 

1 

X3X4  ©  X4  ©  X3  ©  1 

^  /(Xi,X2,X3,X4)  =  X3©X4©l,[1] 

(xi,X2)e{0,l}^ 

1 

0 

X3X4  ©  X4 

1 

1 

X3  ©1 

Table  3.  Formal  sum  of  known  variables 

The  points  (0,0),(0,1),(1,0),(1,1)  can  be  viewed  as  a  corner  of  a  square  of 
two  dimensions  (Figure  4.1). 
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(1.0) 


(1,1) 


(0,0)  (0.1) 

Figure  1.  Square  of  Two  Dimensions 

This  concept  may  scale  to  more  than  two  variables.  For  example,  if  there 
are  three  variables  then  the  evaluation  will  be  for  eight  points,  and  these 
correspond  to  the  corners  of  a  cube  in  three  dimensions,  which  is  why  Dinur  and 
Shamir  called  their  process  the  cube  attack  (Figure  4.2). 


(0,1,0)  (0.1.1) 


Figure  2.  Cube  of  Three  Dimensions 
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In  a  similar  fashion,  once  the  function  /  is  factored  with  respect  to 


coefficients  x,,x2 

f(Xj,X2,X2,X^)  =  XjX2(X3  ©  X4  ©  1)  ©  (X2X3X4  ©  XjX3X4  ©  Xj  ©  XjX3  ©  X4  ©  X3  ©  1)  ,  (4.3) 

where:  tj  =  XjX2  is  the  maxterm 

(x)  =  X3  ©X4  ©1  is  the  superpoly,  a  linear-cofactor  or  linear 
nonconstant  polynomial 

(x)  =  X2X3X4  ©  XjX3X4  ©  Xj  ©  XjX3  ©  X4  ©  X3  ©  1  is  the  remainder 

The  maxterms  of  the  polynomial  /  are  indexed  by  /  =  {l,2},  a  subset  of  size  2, 
where  /  c  {1,2, is  the  index  set  of  the  variables  that  are  multiplied  together. 


Theorem  4.1  is  a  basic  theorem  and  is  the  tool  used  below  to  cryptanalyze  the 
Bluetooth  EO  keystream  generator. 


Definition  4.3  ffrom  41:.  A  maxterm  off  is  a  term  t,  or  cube  such  that  the 
degree  of  the  superpoly  deg(/^^ )  =  1 ,  where  is  a  linear  nonconstant  polynomial. 

Based  on  Theorem  4.1  and  illustrated  in  Example  4.4,  the  sum  of  the 
2^  polynomials  derived  from  the  initial  polynomial  /  by  assigning  all  possible 
values  to  the  k  variables  eliminates  all  terms,  except  those  that  are  contained  in 
the  superpoly  in  / . 
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Observation  4.4:  Using  the  process  described  in  Theorem  4.1,  the 
monomial  coefficients  can  be  computed  once  all  the  values  of  the  corresponding 
variables  are  summed. 


Example  4.5: 

Let  /be  the  following  monomial: 


f{x^,X2,X^,X^,X^)  =  XjX2Xj  ©X5  ©X3X4. 


Then  all  values  of  x^,x2,x2,x^,x^  are  summed  as  follows: 

/(0, 0, 0, 0, 0)  ©  /(0, 0, 0, 0, 1)  ©  /(0, 0, 0, 1, 0)  ©  /(0, 0, 1, 0, 0)  © ...  ©  /(1, 1, 1, 1, 1)  =  0 . 

The  value  of  the  expression  above  represents  the  coefficient  of  the  monomial 

x^X2X2X,^x^ .  Thus, 


/(Xj ,  Xj ,  X3 ,  X4 ,  X5  )  =  XJX2X3  ©  Xj  ©  X3X4  ©  0  •  XjX2X3X4X5  . 


Observation  4.4  may  be  generalized.  Assume  that  the  encryption  function  is  of 
the  form: 

z  =  f{x,v),  (4.4) 

Equation  (4.4)  actually  represents  the  encryption  function  of  a  stream  cipher  that 
takes  as  input  n-secret  bits  x  and  m-known  bits  v  of  initialization  vector  (IV)  and 
outputs  a  keystream  bit  z . 

Initially,  the  initialization  vector  bits  v  are  fixed  over  F^,  and  T  is  the  set  of  all 
possible  values  of  v ,  so  |r|  =  I"" . 

If  /(x,v)  is  summed  overveT,  then  we  can  write: 

=  (4-^) 

veT 
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In  accordance  with  Theorem  4.1,  ifT(x);^0  then  a  maxterm  can  be  found  and 
therefore  one  linear  relation  of  the  key  bits  is  obtained.  Therefore,  in  order  to 
obtain  n-\  relations  one  needs  to  use  the  same  /with  different  maxterms. 
Since  there  are  n  such  linearly  independent  relations  of  the  key  bits,  the  secret 
key  can  be  found  by  using  Gaussian  elimination  or  a  chosen  plaintext  attack. 

The  cube  attack  may  be  completed  in  two  phases:  the  preprocessing 
phase  where  the  attacker  finds  as  many  maxterms  as  possible,  and  the  actual 
attacking  phase  where  the  attacker  solves  the  system  of  linear  equations. 

C.  PREPROCESSING  AND  ONLINE  PHASE 
1.  Preprocessing  Phase 

Assume  that  the  following  relation  represents  an  encryption  function  of  a 
cipher  represented  in  accordance  to  theorem  4.1 

/(T  .  (^)  ®  a/T  ^  J  ^  ('4.  Q) 

and  let  Q  represent  the  summation  cube  of  a  set  of  variables  with  index  /  . 

Then,  if  t,  is  a  maxterm  of  the  encryption  function  /  in  (4.6),  then  the  attacker 
may  compute  the  free  term  of  //x)  by  summing  all  the  values  of  f{x)  over  all 
variables  modulo  2  that  are  zero  except  those  that  appear  in  C, , 

Then  the  attacker  can  compute  the  coefficient  of  xjn  the  linear  expression  /  (x) 
by  summing  modulo  2  all  values  of  /(x)  for  input  vectors  equal  to  0  except  at  x, 
which  is  1,  as  detailed  in  the  proof  of  Theorem  4.1.  [4] 
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In  the  preprocessing  phase,  the  attacker  is  trying  to  find  as  many 
maxterms  (vj,...,vJ  as  possible  and  their  corresponding  superpolys  in 

the  following  manner: 

f(x,v)  =  V^V2V^(x^  ©Xj  ©X3)  ©... 

f(x,  v)  =  V^V^Vg  (X2©X4)©... 

/(x,v)  =  V3V5(X4©Xg)©... 

f{x,v)  =  V2V^{x^  ©Xg)©... 

When  the  attacker  has  no  information  about  the  structure  of  the  encryption 
function,  then  it  can  be  considered  as  a  blackbox  polynomial.  The  attacker  can 
reconstruct  the  superpolys  using  linearity  tests.  All  he  can  do  is  query  the 
function/,  meaning  that  he  can  pass  in  a  value  x  of  and  get  a  value  of  /(x). 
Because  in  a  linear  expression  the  coefficient  of  any  variable  x.  is  1  if  and  only  if 
changing  the  value  of  x.  changes  the  value  of  the  expression,  the  free  term  may 
be  computed  by  setting  all  variables  to  0. 

2.  Online  Phase 

In  this  phase,  the  attacker  has  to  solve  a  system  of  linear  equations  where 
each  linear  equation  is  the  co-factor  /  of  the  maxterm  tj .  The  attacker  simply 

applies  a  chosen  plaintext  attack  on  the  cipher.  The  attacker  has  to  find  as  many 
linear  relations  as  possible  in  order  to  solve  the  system  of  linear  equations. 

D.  EXTENSIONS  OF  THE  CUBE  ATTACK 

Zhang  et  al.  in  [5]  proposed  two  different  variations  of  the  cube  attack:  the 
cube  attack  with  annihilators  and  the  cube  attack  on  a  vectorial  Boolean  function 
finding  relations  with  low  degree  polynomials. 
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1. 


Cube  Attack  with  Annihilators 


In  cube  attacks  with  annihilators  the  focus  is  on  stream  ciphers.  Their 
method  is  a  combination  of  the  algebraic  attack  of  Courtois  and  Meier  [18],  and 
the  cube  attack  [5].  They  adapt  the  main  observation  of  Courtois  and  Meier  about 
polynomials:  for  some  polynomial  /  one  may  find  a  polynomial  gof  lower  degree 
than  / ,  such  that  h  =  fg. 

Assume  that  there  is  a  stream  cipher  and  the  output  bit  is 

z  =  f{x,v),  (4.7) 

where  xis  the  unknown  variable  and  v  represents  the  known  variable.  Courtois’ 
concept  may  be  applied  in  the  cube  attack  and  one  ends  up  with  the  following 
relation  [from  5]; 

^A(x,v)  =  ^/(x,v)g(x,v),  (4.8) 

veC  veC 

where  deg(g)  =  k ,  deg(/)  =  d  and  k<d .  Then  deg(A)  =  / ,  where  /  <  d  and  l>k . 

In  the  basic  steps  of  the  cube  attack  with  annihilators  the  attacker,  initially  uses 
known  algorithms  to  find  gand  h .  Then,  in  the  preprocessing  phase,  the  attacker 
computes  the  polynomial  derived  from  the  summation 

Y^h{x,v),  (4.9) 

veC 

and  in  the  online  phase,  he  calculates  through  linearization  the  summation 

'^fix,v)g{x,v)  =  '^h{x,v),  (4.10) 

veC  veC 

Zhang  et  al.  implemented  the  above  attack  in  a  Toyocrypt  cipher  with  re¬ 
synchronization,  breaking  the  cipher  in  a  few  milliseconds  on  an  ordinary  PC  [5]. 

2.  Cube  Attack  on  a  Vectorial  Filter  Function  with  Low  Degree 

In  the  cube  attack  on  a  vectorial  filter  function  with  low  degree  Zhang  et  al. 
in  [5]  combined  the  cube  attack  with  annihilators  with  a  low  degree  on  vectorial 
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equations  that  are  obtained  from  the  computation  of  the  rank  of  the  matrices  of 
some  monomials. 

Assuming  we  have  the  following  vectorial  filter  function: 

z  =  f{x,v),  (4.11) 


where  x  are  unknown  bits  of  size  n  ,vare  known  bits  of  size  m  and  z  is  a  vector 
of  multiple  output  bits.  A  function  of  g(x,v,z)  is  found  where  deg(x,v)  =  A:  such 
that  h{x,  v)  =  g(x,  V,  f  (x,  v))  is  of  degree  / ,  with  k<l<  deg(/) . 


The  attack  phases  are  as  follows  [from  5]: 


Firstly,  g,h  must  be  found.  Therefore  we  choose  ^  maxterms,  where  e  is 


the  vector  where  the  k-th  component  is  1  and  the  rest  are  0.  For  each  maxterm 
the  summation  ^A(x,v)  is  computed  by  finding  the  coefficient  of  every  x- 


monomial. 


Finally,  in  the  online  phase  for  each  maxterm  ^g(x,v,z)  is  computed  as  a 

C 

polynomial  of  x ,  since  z  is  known. 

The  cube  attack  with  annihilators  may  be  applied  on  single-bit  output 
ciphers  whereas  the  cube  attack  with  a  filter  function  may  be  applied  on  multi¬ 
output  stream  ciphers. 
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V.  BLUETOOTH  KEY  STREAM  GENERATOR  EO 


A.  INTRODUCTION 

The  Bluetooth  encryption  concept  is  described  in  Volume  2,  Part  C, 
Chapter  4.2  of  the  Bluetooth  specification  document  [28].  Bluetooth  is  the  name 
of  a  wireless  communication  protocol  used  for  exchanging  data  from  mobile  and 
fixed  devices  (laptops,  PCs,  mobile  phones,  etc.)  at  low  energy  and  short  range, 
thus  creating  personal  area  networks  (PANs).  Bluetooth  communication  ranges 
(transmitter/receiver)  from  1  to  10  meters  (approximately  33  feet),  and  high- 
energy  Bluetooth  devices  enable  ranges  up  to  100  meters  (approximately  328 
feet).  Bluetooth  provides  authentication  mechanisms  and  data  encryption, 
ensuring  confidentiality  of  the  data  using  point-to-point  or  broadcast  encryption. 
[28,  p.  935]  Bluetooth  uses  the  stream  cipher  algorithm  EO  for  encryption,  which 
is  a  combinatory  generator  with  memory.  For  the  rest  of  the  thesis,  the  author  will 
concentrate  on  analyzing  the  key  generation  process  investigating  the 
cryptographic  strength  of  EO  under  a  cube  attack. 

B.  BLUETOOTH’S  ENCRYPTION  APPROACH 

Every  time  two  Bluetooth  devices  want  to  communicate  securely  with  each 
other,  key  exchange  protocols  are  in  use.  Once  both  users  agree  on  a  shared 
secret,  called  link  key,  and  authenticate  themselves,  this  link  key  is  used  later  to 

generate  the  encryption  key  (K^).  Although  Bluetooth  uses  algorithms  E21  and 

E22,  which  are  based  on  the  block  cipher  Secure  and  Fast  Encryption  Routine 
(SAFER+),  to  authenticate  its  users  and  for  key  derivation,  Bluetooth  does  not 
use  these  algorithms  to  encrypt  information  [28,  p.  952].  The  actual  data  of  the 
packet  are  enciphered  separately.  The  encryption  algorithm  EO  uses  the 
originator’s  Bluetooth  device  address,  usually  called  the  master  device 
(BD_ADDR),  twenty-six  bits  of  the  originator’s  clock  time  and  the  encryption 

key  . 
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is  the  secret  key  that  is  produced  by  the  current  link  key.  A  96-bit 

encryption  offset  number  called  COF ,  known  from  the  authentication 
procedure,  and  a  128-bit  random  number  (EN_RAND)  which  is  a  public  variable 
that  is  transmitted  as  plaintext,  are  needed  in  order  to  produce  this  encryption 

key  ,  as  depicted  in  Figure  3.  This  process  executes  in  the  encryption 
algorithm  E3. 


EN _RAND- 

COF 

Link  _  Key 


K 

c 


Figure  3.  Encryption  Algorithm  E3  (After  [28,  p.  953]) 

Inside  EO,  the  secret  key  is  modified  into  another  key,  namely  K^^ . 

The  K^  key  is  used  along  with  the  public  variables,  the  originating  device's 

media  access  control  (MAC)  address,  and  the  clock  value.  The  clock  value 
changes  on  each  packet  (and  acts  as  an  “IV”),  as  is  shown  in  Figure  4. 
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INITIATOR  (MASTER) 


EN  _ RAND  ^ 


RESPONDER 


Figure  4.  Functional  Description  of  the  Encryption  Procedure  (After  [28  p.  937]) 


The  encryption  algorithm  EO  generates  a  binary  keystream,  called  > 

which  is  bitwise  XORed  with  the  plaintext.  The  cipher  is  symmetric  and  the 
decryption  will  be  performed  in  a  similar  way,  as  the  receiver  generates  the  same 
keystream  that  is  then  bitwise  XORed  with  the  ciphertext  to  produce  the  plaintext. 


C.  STREAM  CIPHER  EO 

Stream  cipher  EO  is  a  keystream  combination  generator  with  memory.  It 
uses  four  LFSRs  of  total  length  128  bits  and  a  nonlinear  combiner  function  with 
memory.  A  finite  state  machine,  called  a  summation  combiner,  with  sixteen 
states,  combines  the  output  of  the  LFSRs.  The  output  of  this  state  machine 
represents  the  key  sequence,  or  during  the  initialization  phase  is  the  randomized 

initial  start  value.  The  algorithm  uses  the  encryption  key^c-  ^  48-bit  address, 

the  master  clock  bits  CLK^^_^ ,  and  a  128-bit  random  number  [28,  p.  937-938]. 
The  setup  of  an  EO  keystream  generator  is  depicted  in  Figure  5. 
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Initial  Values 


Figure  5.  Encryption  Procedure  (After  [39]) 

The  four  linear  feedback  shift  registers  EO  (LFSR1,  LFSR2,  LFSR  and 
LFSR4)  of  EO  have  the  following  lengths: 

L,  =25,^2  =31,^3  =33,4  =39. 


Their  corresponding  polynomials,  which  are  all  primitive,  are  shown  in  Table  5. 
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Primitive  Feedback  Polynomials  of  EO 

i 

A 

Primitive  Feedback  Polynomials  fi{x) 

Hamming  Weight 

LFSR1 

25 

x"'©x"°©x‘"©x'©l 

5 

LFSR2 

31 

x''©x""©x“'©x‘"©l 

5 

LFSR3 

33 

x''©x"'©x""©x"©l 

5 

LFSR4 

39 

x'‘’©x'*’©x"*©x"©l 

5 

Table  4.  Primitive  Feedback  Polynomials  of  EO  (From  [28,  p.  938]) 


The  Hamming  weight  of  each  primitive  polynomial  is  five;  therefore,  the 
generated  sequences  have  good  statistical  properties.  On  the  other  hand,  they 
are  easy  to  implement  in  hardware. 

The  encryption  process  of  EO  is  described  below.  The  LFSRs  and  the 
memory  bits  are  initialized  with  the  key,  an  address,  a  random  number,  and 
clocking  bits.  The  clocking  bits  ensure  that  the  system  will  not  run  numerous 
times  with  the  same  initialization  and  therefore  disclose  bits  of  the  key.  Let  x[ 

denote  the  output  bit  of  LFSR‘  at  clock-time  t.  Then  we  generate  the  value 
from  the  4th  tuple  x],xf,x^,x‘^  by: 

(5.1) 

i=l 

The  summation  is  over  the  integers,  which  means  that  belongs  to  (0,1, 2, 3, 4}. 
The  output  of  the  summation  generator  can  be  obtained  as  follows.  2 

The  function  is  formed  using  the  XOR  operation  and  one  can  generate  z^of 
the  keystream: 

2  The  glossary  of  EO  keystream  generator  can  be  found  in  Appendix  D. 
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=  /o . c°)  =  x,  © xf  © x]  © x"  © c“ ,  z,  e  (0, 1} 


(5.2) 


The  nonlinearity  of  EO  comes  from  the  function/,  whose  output  is  a  two-bit 
sequence  s,. 


yt+c, 


{0,1, 2, 3} 


(5.3) 


The  ''+''symbol  in  Equation  (5.3)  is  the  usual  integer  sum.  The  memory  update 
function  is  a  composition  of  /and  T  and  is  linear  with  the  following  form: 


=  ©/[cj©/[c,_i]  (5.4) 

7 

where  /[.]  and  /[.Jare  two  different  linear  bijections  over  GF(4),  summarized  in 
Table  6  [28,  p.  939]. 


EO  Linear  Bijections  Mapping  to  Binary  Vectors 


/W 

/W 

00 

00 

00 

/  :(xi,Xo)^(xi,Xo) 

01 

01 

11 

/  :(xi,Xo)i-^(xo,Xi©Xo) 

10 

10 

01 

11 

11 

10 

Table  5.  Mappings  of  /  and 


The  EO  algorithm  must  be  initialized  with  a  value  from  the  four  LFSRs  (128 
bits  in  total)  and  the  four  bits  that  specify  the  values  of  Cq,c_^.  The  132-bit  initial 
value  is  derived  from  four  inputs  using  the  key  stream  generator.  The  input 
parameters  are  K^,  a  128-bit  random  number  RAND,  a  48-bit  Bluetooth  device 

address,  and  the  twenty-six  originator’s  device  clock  bits  CLK^^  ^[2%,  p.  940]. 
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D.  MODELING  ENCRYPTION  FUNCTION  OF  EO 

During  the  author’s  investigation  of  the  encryption  function  of  the  EO 
algorithm,  he  adopted  Armknecht  and  Krause’s  approach  in  order  to  find  a 
function  that  is  not  dependent  on  memory  bits  and  holds  for  every  clock  tick.  [22] 

Let  z^be  the  keystream  bit  produced  by  EO  at  clock  t,  z^^j  be  the 
keystream  bit  produced  by  EO  at  clock  t  +  \,  etc.  These  bits  are  randomly 
generated.  At  every  clock  value,  the  output  of  EO  is  the  bit  z^ ,  which  is  dependent 

on  the  output  bits  of  four  LFSRs  x,  e{0,l}''  and  the  four  memory 

bits  c,  e  {0,1}"^. 

In  more  detail,  the  components  of  c,  =(c|,c°)are  as  follows: 

c]=s]®cU®cl,  ,  (5.5) 

c^,=s^,®cU®cU®cU,  (5.6) 

The  goal  of  the  cryptanalysis  is  to  come  up  with  an  equation  that  describes  the 
encryption  of  the  EO  keystream  generator  consisting  only  of  the  bits  of  the  LFSRs 
and  key  stream  bits  z^,  while  eliminating  the  memory  bits  c^.  The  reason  is  that 

the  author  does  not  want  to  use  a  polynomial  of  degree  n  where  the  system  of 
equations  would  be  unsolvable  [23,  p.  5]. 

The  encryption  function  G  for  EO  becomes 

G(r(i:),z,,z,^i,z,^2,z,^3)  =  0  _^here  = 
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More  specifically, 


®  ^r+2  ®  ^r+3  ®  ®  ^^+1  ®  ^,+2  ®  ®  ® 

nj+l  (z,  ®  ©  Z,^iZ,^2  ®  ® 

n;  ©n;n;,,(i©z,,,)©n;nf,,  ©  ©i)© 

n:,2n,\,z,,2  ©  ul,  ©nf,2n;,,(i©z,,,)®nf,2nL  © 

n;,3©nL3nL.(i©z,,.)©nL3nL© 

nL^.,,©nf,,©n;,,=o,  (5.8) 


where  n'  denotes  the  /-th  elementary  symmetric  polynomial  in  x'. 


n'  =  Xj  ©  Xj  ©  X3  ©  X4 

nf  =  XjXj  ©  XjX3  ©  XjX4  ©  X2X3  ©  X2X4  ©  X3X4 
=  XJX2X3  ©  XjX2X4  ©  XjX3X4  ©  X2X3X4 
=  XJX2X3X4 

nj+i  =  X5  ©  X,  ©  X2  ©  X3 

nL  =  XjXg  ©  X5X2  ©  XjXg  ©  X^Xj  ©  XgXg  ©  X^Xg 

®  ®  ®  ^6^7^8 

n'+i  =  XjXgX^Xg 


n 

n 

n 

n 


t+2  ^9  ®  ^10  ©  -^1 1  ©  ^12 

L  =  ^9^10  ®  ^9^11  ®  ^9^12  ®  ^10^11  ®  ^10^12  ®  ^11^12 
L  =  ^9^10^11  ®  ^9^10^12  ®  ^9^11^12  ®  ^10^11^12 


t+2  -^9 -^10  ■^11*^12 


n 

n 

n 

n 


1 

t+3 

2 

t+2 

3 

t+2 

4 

t+2 


=  Xi3  @Xi4  ©Xj5  ©Xj^ 

=  X13X14  ©  X13X15  ©  XjgXjg  ©  X14X15  ©  X14X1,  ©  Xi5X,g 

—  .^13.^14.^15  ©  .^13.^14.^16  ®  •^13-^15-^16  ® 

—  .^13.^14.^15.^16 


(5.9) 


(5.10) 


(5.11) 


(5.12) 
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and  the  output  bit  streams  for  clock  times  t+2,  t+3  are  as  follows: 


^'+3-^  (5.13) 


Theorem  5.1:  The  encryption  function  of  EO  depends  only  on  the  output 
bits  of  the  four  LFSRs  and  the  output  keystream  bit  and  holds  for  every  clock  tick. 
Four  consecutive  clock  ticks  are  needed. 

Proof  ffrom  [2211: 

The  key  stream  generator  EO  consists  of  four  LFSRs  and  four  memory 
bits.  For  every  clock  time  t  an  output  z,  is  produced  based  on  the  outputs 

X,  ={x],x^ ,x] ,x'l)oi  the  four  LFSRs  and  the  four  memory  bits  c,  ■ 

The  next  memory  bits  at  clock  time  t  +  \  are  .  The  memory 

bits  q„p,  appear  in  both  clock  times  of  t  and  t  +  \.  The  variable  n'  denotes  the  i- 
th  elementary  symmetric  polynomial  over  x,  ={x],x^ ,x],x‘l) ,  which  is  the  sum  of 
all  monomials  of  length  5  <  4 . 

Thus, 


However,  at  the  same  time 

p+i  =  Pt-x .  ■^“+1  ®  (it-i  ®p,,q‘,p‘) 


+^q,+Pt 


(5.14) 

(5.15) 


(5.16) 

(5.17) 
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The  contents  of  the  LFSRs  and  the  value  of  c'  are  set  at  the  beginning.  All  the 
other  values  may  be  calculated  from  these. 

From  Equations  (5.15)  and  (5.16),  the  following  is  obtained: 


=  (^,+1 ,  A+i  ,q„Pt)  =  (sh  A-i .  ®  qt-x  ®Pt,q‘,p‘)  (5-18) 

Assume  /oand  /are  two  Boolean  functions  derived  from  Equations  (5.3)  and 
(5.4)  such  that: 

X^,q‘,p‘) ,  where  ze{0,l}  (5.19) 

Armknecht  [22,  p.  173-174]  proved  that  the  algebraic  normal  forms  of  /and  / 
have  the  expressions: 

/=nf©ny©/,  (5.20) 

/  =n;©ny  ©nf/©ny/.  (5.2i) 

Based  on  Equation  (5.18)  we  obtain 

A+i  =  ®Pr®  q,-x  ®  Pt-x  =  nf  ©  u]p,  ®q,®  q^_,  ®  p,®  p,_y ,  (5.22) 

q^  =  ■^'+1  ®  ®  Pt-X  =  n"  ©  Il]p,  ©  lf,q,  ©  Il\p,q,  ®q^®  p,_, ,  (5.23) 

The  values  of  p,^,  and  q,^,  depend  on  x„q„q^_„p^,p,_,  Qn6x^,q„p^,p,_,, 

respectively. 

Equations  (5.22)  and  (5.23)  are  simplified  by  using  the  following  equations: 

m  =  ^]®^]Px®P,-x^  (5-24) 

^it)  =  U^®U]p,®l.  (5.25) 

Therefore,  Equations  (5.22)  and  (5.23)  become 

Pt^x  =  "^(^)®^®P,-x®Pt®q,-x’  (5-26) 
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^,^1  =O(0®'F(%,, 


(5.27) 


From  Equation  (5.27),  the  following  is  obtained: 

^(0^,,:='F(0(O(0®'F(0^,)  or 

'F (0(0(0  ©  ©  ^,^0  =  0 ,  since  ‘F(0'F(0  =  'F(0  ■  (5.28) 

Equation  (5.26)  is  then  transformed  into  the  following: 

(It  ®  (It-i  =  '^(O  ®  1  ®  ®  ®  .  (5.29) 

Replacing  r  by  r  +  1  in  Equation  5.28  and  applying  Equation  5.29,  we  have: 

‘F (0(0(0 ®  'F(r  + 1) ©  1  © ;?,  © © p,^^)  =  0  .  (5.30) 

Applying  Equation  (5.14)  we  are  now  able  to  derive  Equation  (5.8)  which  holds 
for  every  clock  rand  does  not  have  any  memory  bits  in  the  equation. 

®  ^tn  ®  ^r+2  ®  ^^+3  ®  nf+i  {z,  ©  ®  ^r+3  )  ®  © 

nj+l  (z,  ©  Z,^2  ®  2^+3  ®  ®  ®  ^r+l^.+3)  ® 

n;  ©n;n;,,(i©z,,0®n;nf,,  ©  nO^z,,^  ®i)® 

®  nf,2  ©nf,2n:,,(i©z,,0®nf.2n?,,  © 

nL3©n;,3n;,,(i©z,,0®nL3nL® 

nLi^r+i®nL®n!+i  =0, 

and  in  a  more  generic  form: 

G(Xj ,  Xj , . .  .Xjg ,  Z^ ,  Z^^J ,  Z^^2  ?  ^t+i  )  ~  0 

Equation  (5.8),  of  degree  4  with  twenty  variables,  can  be  fully  described  by  the 
following  expression: 
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Q=a@b@c@d@ 

(XjXg  0X5X7  ©XjXg  @XgX7  @XjX^){a@b@c@d)@x^x^XjX^  © 

(Xj  @Xg  0X7  ©Xg)(a©c©  J©aZ)©Z)c©M)©Xj  ©Xj  ©X3  ©X4  © 

(Xj  ©Xj  ©X3  ©X4)(X5  ©Xg  ©X7  ©Xg)(l©Z))  © 

(Xj  ©Xj  ©X3  ©X4)(X5Xg  ©X5X7  ©XjXg  0X^X7  ©XgXg  0X7X5)© 

(Xg  ©Xjg  ©Xjj  ©Xj2)Z)©(Xg  8 XjQ  8 Xj j  ©Xj2)(x5  8 Xg  ©X7  ©Xg)c(Z)©l)© 

(Xg  ©Xjg  ©Xjj  8  Xj2  )(X5Xg  8X5X7  0X5X3  0X^X7  8  Xg  ©X7Xg)C© 

(XgXjo  ©XgXjj  ©XgXj2  8 -X^JQ^J  J  8  XjqXj2  8  Xj  jXj2  )  8 

(XgXjo  ©XgXjj  ©XgXj2  8 -^^jQ^j j  8 XjqXj2  8 Xj jXj2 )(x5  8 Xg  8X7  ©Xg)(l©Z)) 8 

(XgXjo  ©XgXjj  ©XgXj2  8  ^jgXj  j  8  XjqXj2  8  Xj  jXj2  )(X5Xg  8X5X7  8  XgXg  8  XgX7  ©XgJt^  0X7X3)  © 

Xj3  ©Xj4  ©Xj5  ©Xjg  ©(Xj3  ©Xj4  ©Xj5  ©Xjg)(X5  ©Xg  ©X7  ©Xg)(Z)©l)© 

(Xj3  ©Xj4  ©Xj5  ©Xjg)(X5Xg  ©X5X7  ©XgXg  ©XgX7  ©XgJ(^  0X7X3)© 

x^x^x.jb®x^x^x^b®x^x.jx^b®x^xjx^b®x^x^  ©X5X7  ©X5X3  ©XgX7  ©Xgjt^  ©X7;<^  © 

X5  ©Xg  ©X7  ©Xg. 

The  full  expansion  of  the  encryption  function  of  can  be  found  in  Appendix  A 


(5.31) 
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VI.  AUTOMATED  TOOL  FOR  MODELING  CUBE  ATTACK 


No  matter  how  correct  a  mathematical  theorem  may  appear  to  be, 
one  ought  never  to  be  satisfied  that  there  was  not  something 
imperfect  about  it  until  it  also  gives  the  impression  of  being 
beautiful. 

George  Boole  (1815-1864) 

A.  OVERVIEW 

In  this  chapter,  the  author  implemented  Dinur  and  Shamir’s  cube  attack  on 
a  Bluetooth  EO  keystream  generator.  In  order  to  do  that,  he  modeled  the  EO 
encryption  function  of  Bluetooth  in  Chapter  V.  He  then  created  an  automated  tool 
in  the  Maple  12  environment  (http://www.maplesoft.com)  that  finds  all  of  the 
maxterms  and  their  corresponding  superpolys  (linear  coefficients)  of  the 
encryption  function.  Then,  in  the  online  phase,  he  used  a  chosen  plaintext  attack 
in  order  to  solve  the  system  of  linear  equations  he  found.  Eventually,  he 
evaluated  the  results  and  investigated  the  complexity  of  the  process. 

B.  APPROACH— BASIC  ASSUMPTIONS 

The  most  time-consuming  work  in  the  computation  process,  namely 
finding  the  maxterms  and  their  corresponding  superpolys,  was  executed  in  the 
Maple  12  environment.  Maple  is  a  high-level  programming  language  with 
powerful  built-in  symbolic  algebra,  numerical  and  graphical  capabilities.  The 
reasons  why  the  author  chose  Maple  12  instead  of  any  other  programming 
language  like  C,  C++,  Java,  or  symbolic  Python  were  mainly  that  he  wanted  to 
benefit  from  the  advantages  of  a  high-performance  mathematical  engine  with 
fully  integrated  numerals  and  symbols,  especially  in  algebra.  With  this  in  mind, 
under  the  guidance  of  an  expert  programmer  in  the  Maple  environment.  Dr. 
David  Canright,  Associate  Professor  of  the  Department  of  Applied  Mathematics 
of  the  Naval  Postgraduate  School’  the  author  created  effective  code  in  a  compact 
and  optimal  way. 
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1.  Modeling  Environment 

Maple  uses  a  C-like  programming  language.  It  has  many  of  the  features 
that  other  high-level  programming  languages  have,  like  loops,  conditionals,  and 
functions.  Maple  does  not  support  classes  of  objects;  however,  this  feature  is 
overcome  by  a  rich  set  of  packages  available  for  Maple.  Maple  can  generate 
code  in  other  high-level  programming  languages  like  C,  Java,  Fortran,  Visual 
Basic  and  Matlab  using  the  CodeGeneration  package.  The  OpenWatcom  C 
compiler  is  used  for  the  Maple  compiler.  This  allows  the  user  to  compile  some 
types  of  user-written  Maple  routines  to  increase  code  performance. 

Maple  12  works  on  Windows  (2000,  2003,  XP,  Vista),  Macintosh,  UNIX, 
Linux  and  Solaris  environments.  Developers’  system  recommendations  include 
the  following  [29]: 

■  CPU:  AMD  X86_64/ 1  GHz/Intel  Xeon/  Intel  64 

■  RAM:  512MB  (at  least) 

■  Hard  disk:  1  GB 

The  computational  interfaces  Maple  12  has  available  for  its  users  include 
the  standard  worksheet,  which  is  the  environment  that  the  author  worked  in.  The 
standard  worksheet  is  a  full-feature  graphical  user  interface  that  enables  users  to 
create  documents,  and  it  displays  all  the  calculations  and  possible  errors  in  the 
results.  The  standard  interface  is  written  primarily  in  Java  to  speed  up  the 
computational  process  and  provide  portability.  The  standard  worksheet  has  two 
modes:  the  document  mode  and  the  worksheet  mode.  The  main  difference 
between  these  two  modes  is  that  in  the  first  interface  the  user  hides  all 
commands  used  to  perform  calculations  whereas  in  the  latter  interface  the  user 
shows  all  commands.  Maple  12  also  has  other  user  interfaces  such  as  the 
classic  worksheet,  which  is  a  basic  worksheet  environment  for  computers  with 
limited  memory;  and  the  command  line  interface,  in  which  a  user  may  solve  large 
and  complex  problems  without  thorough  graphical  user  interface  features 
available. 
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The  Maplesoft  graphing  calculator  provides  another  Maple  12  interface 
and  is  available  for  computers  using  the  Microsoft  Windows  Operating  System 
only.  This  graphical  user  interface  contains  windows,  textbox  regions  and  other 
visual  interfaces  that  give  the  user  a  point-and-click  interface  to  access  the 
computation  processor  of  Maple  without  using  the  worksheet.  Finally,  Maple 
provides  the  Mapletapplication.  It  has  a  graphical  calculator  interface  that  the 
user  can  use  to  perform  simple  computations  and  create  customizable  graphs  in 
a  windows  environment  only  [30]. 

2.  Basic  Assumptions 

In  part,  the  cube  attack  is  a  chosen  plaintext  attack:  the  part  that  can  be 
manipulated  by  the  attacker.  To  implement  the  cube  attack,  we  assume  the 
attacker  has  the  capability  to  properly  send  structured  packets  that  the  Bluetooth 
receiver  will  respond  to,  thus  providing  the  attacker  with  access  to  the  encryption 
machine.  This  machine  behaves  like  an  oracle.  If  the  attacker  convinces  the 
oracle  it  is  a  legitimate  participant,  it  will  be  duped  into  sending  data  to  the 
attacker  or  another  participant;  however,  the  attacker  can  observe  “over  the  air” 
whatever  responses  the  oracle  or  the  user  sends  back. 

For  example,  the  attacker  can  masquerade  as  a  real  user,  with  sufficient 
detail  to  send  data  to  the  oracle.  The  oracle  will  return  encrypted  data  to  the 
attacker  or  an  authorized  user/participant  in  the  communication  process,  and  the 
attacker  will  collect  this  data.  The  attacker  thus  gains  some  knowledge  of  the 
output  bitstreams  for  the  combiner  at  clock  ticks  t,  t+1,  t+2,  and  t+3. 

The  following  theorem  derived  from  our  investigation: 

Theorem  6.1:  The  maxterms  of  EO  encryption  function  can  only  be  of  2'^^ 
or  3''^  degree. 

Proof: 

Assume  that  a  maxterm  could  be  of  degree  4.  By  Definition  4.3  of  the  term 
called  maxterm,  in  order  for  a  maxterm  to  exist  there  must  be  terms  in  the  EO 
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encryption  function  of  the  5**^  degree.  Since  the  encryption  function  being  used  in 
this  study  (Appendix  A)  is  of  degree  4,  it  cannot  have  a  maxterm  of  degree  4. 


Assume  that  a  maxterm  could  be  of  degree  1.  Then,  by  the  definition  of 
maxterm,  since  the  cofactor  must  be  linear  and  not  constant,  one  must  check  all 
the  2'^^  degree  terms  of  the  encryption  function  EO  in  Equation  (5.31).  Thus,  one 
may  observe  there,  that  the  only  terms  of  the  2'^'^  degree  derive  from  the  following 
products: 

and  nl, . 

Each  term  of  the  2"'^  degree  is  examined  as  follows: 

nL(z,©Z,^l©Z,^2®V3)  = 

x^x-jU  ©  x^Xjb  ©  x^XjC  ©  x^Xjd  ©  x^x^a  ©  x^x^b  ©  x^x^c  ©  x^x^d  ©  (6  1) 

x^x-jU  ©  x^Xjb  ©  x^x-jC  ©  x^x-jd  ©  x^x^a  ©  x^x^b  ©  x^x^c  ©  x^x^d  © 

XjX^a  ©  x-jX^b  ©  x^XgC  ©  x-jX.d, 


n;n;,,(i©z,,o  = 

XjXj  ©  XjXg  ©  XjX^  ©  XjXg  ©  XjXj  ©  X2Xg  ©  X2X7  ©  X2Xg  © 

X3X5  ©  X3Xg  ©  X3X2  ©  X3Xg  ©  X4X5  ©  X^Xg  ©  X4X2  ©  X^Xg  © 

XjXj/)  ©  X^xJj  ©  X^X-jb  ©  XjXg/)  ©  X2X5/)  ©  X2XgZ)  ©  X^Xjb  ©  X2Xjy  © 
X3X5/)  ©  XgXg/)  ©  XgXy/)  ©  XgXg/)  ©  X4X5/)  ©  x^xjj  ©  x^x-jb  ©  x^xjj. 


nL2nLiZ,^2(^r+i®i)  = 

XgX^cb  ©  x^x^cb  ©  XgXjCb  ©  XgX^cb  ©  x^^x^cb  © 
x^QXf^cb  ©  x^QX-jCb  ©  x^^x^cb  ©  x^^x^cb  ©  x^^x^cb  © 
x^^XjCb  ©  x^^x^cb  ©  x^2X^cb  ©  x^^^^cb  ©  x^^x-jcb  © 

x^^x^cb  ©  X9X5C  ©  XgXgC  ©  X9X7C  ©  XgXgC  ©  XjgXgC  © 
XjgXgC  ©  XjqX^C  ©  XjgXgC  ©  XjjXjC  ©  XjjXgC  ©  XjjX7C  © 
XiiXgC  ©  X12X5C  ©  Xi2XgC  ©  X12X2C  ©  Xi2XgC, 


n^^2  =  ^9^10  ®  ®  -^9^12  ®  ToTl  ®  To-^12  ®  -^1 1-^12’ 
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n:,3n:,,(iez,,,)  = 

XjjXj  ©  XjjXg  ©  XJ3X7  ©  XjjXg  ©  XJ4X5  © 

Xj4Xg  ©  Xj4X7  ©  Xj4Xg  ©  XjjXj  ©  Xj^Xg  © 

XjgX^  ©  XjjXg  ©  XjgXg  ©  XjgXg  ©  XjgX^  © 

XjgXg  ©  XjgXj/)  ©  XjgXg/)  ©  x^^x-jb  ©  XjgXgZ?  © 

x^^x^b  ©  Xj4XgZ>  ©  x^^Xjb  ©  Xj4XgZ?  ©  x^^x^b  © 

XjgXgZ?  ©  XjjX^Z?  ©  XjjXgZ?  ©  XjgXgZ?  ©  XjgXgZ?  © 

Xi,x,bex^,x,b, 

nf+i  =  XgXg  ©  X5X7  ©  XgXg  ©  XgX,  ©  XgXg  ©  X^Xg. 

Notice  that  a,b,c,  and  d  are  assumed  known  bits  (0  ,1)  because  we  assume  that 
the  attacker  can  intercept  them;  therefore,  their  appearance  as  terms  in  the 
equation  does  not  increase  the  degree  of  the  equation  since  they  behave  as 
constants. 

In  the  next  steps,  the  author  investigates  the  unknown  variables  Xj,...,Xj2  that 
appear  in  Equations  (6.1)  through  (6.6). 

We  note  that  if  there  is  factoring  by  x^  (though  of  as  a  maxterm)  in 
Equations  (6.1)  and  (6.2)  where  Xj  appears,  then  one  gets 
Xi(x5  ©Xg  ©X7  ©Xg  ©x5Z>©Xg6©x7/)©Xg&).  However,  looking  in  the  Equation 
(5.31),  Xj  appears  also  in  the  product: 

=  (Xj  ©  Xj  ©  X3  ©  X4)(X5Xg  ©  X5X7  ©  XjXg  ©  XgX^  ©  XgXg  ©  X^Xg)  . 

That  means  that  the  superpoly  is  not  going  to  be  linear  but  of  2"^^  degree  and 
based  on  Definition  4.3,  Xj  fails  to  be  a  maxterm. 

Similarly,  the  appearance  of  the  product,  in  Equation  (5.31),  makes 

the  variables  x2,x3,x4,x5,xg,x7,xg  fail  to  be  maxterms  for  the  same  reason.^ 


(6.5) 


(6.6) 


3  Note  that  variables  x^,x^,x^,x^  fail  at  being  maxterms  because  Il^^j  =  x^XgX^Xg  appears 
in  Equation  (5.31). 
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If  one  factors  from  Equations  (6.3)  and  (6.4),  one  gets  the  following 
product:  Xg{x^cb®x^cb®x.jcb®x^cb®x^Q®x^^®x^2),'^^erexg  fulfills  Definition 
4.3.  However,  looking  at  Equation  (5.31)  x^  also  appears  in  the  product: 


= 


(XgX^Q  ©XgXjj  ®XgX^2  ®-^10-*12  ® )(-^5-^6  ®-^5-^7  ®-^5-^8  ®-^6-^7  ®  ®  XjX^)  = 

XgXjgXjXg  ©  XgX^gX^Xg  ©  XgXjgXjXg  ©  XgX^gXf^Xg  ©  XgXjgXgXg  ©  XgXjgXyXg  © 

XgXjjXjXg  ©XgXjjXjXy  ©XgXjjXjXg  ©XgXjjXgX^  ©XgXjjXgXg  ©XgXjjX^Xg  © 

XgXjjXjXg  ©  XgXjjXjX^  ©  XgXjjXgXg  ©  XgXjjXgX^  ©  XgXjjXgXg  ©  XgXjjX^Xg  © 

XjgXjjXjXg  ©XjqXjjXjX^  ©XjgXjjXgXg  ©XjgXjjXgX^  ©XjgXjjXgXg  ©XjgXjjX^Xg  © 

X10X12X5X6  ©  XjgXjjXgX^  ©  XjgXjjXgXg  ©  XjgXjjXgX^  ©  XjgXjjXgXg  ©  XjgXjjX^Xg  © 

XjjXjjXgXg  ©XjjXjjXjX^  ©XjjXjjXgXg  ©XjjXjjXgX^  ©XjjXjjXgXg  ©XjjXjjX^Xg. 


That  means  that  the  superpoly  is  not  going  to  be  linear,  but  of  2"^^  degree,  and 
again  by  the  Definition  4.3,  x,  fails  at  being  a  maxterm.  The  appearance  of  the 

same  product  in  Equation  (5.31),  makes  variables  Xjo,Xjj,Xj2  fail  at  being 

maxterms  for  the  same  reasons  Xg  did.^ 


The  results  detailed  in  Table  7  of  section  C  of  this  chapter  illustrate  that 
the  maxterms  of  2'^'^  and  3'^'^  degree  do  exist. 


C.  RESULTS 

1.  Preprocessing  Phase 

In  Table  7,  the  author  has  displayed  all  the  maxterms  and  their 
corresponding  linear  coefficients  or  superpolys  of  the  encryption  function  found 
by  running  the  program  in  the  Maple  environment. 


^  Note  that  variables  X9,Xjq,Xjj,Xj2  fail  at  being  maxterms  because  nf^2n|+i , n|^2n,\i , 
appear  in  Equation  (5.31). 
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Superpolys 
(with  Linear 
Coefficients) 

Cube  Indexes  of 
Maxterms  of  the  2"*^ 
Degree 

Cube  Indexes  of  Maxterms  of 
the  Degree 

Xg  ©  X7  ©  Xg  ©  /)  ©  1 

{1,5},  {2,5},  {3,5},  {4,5} 
{5,13},  {5,14},  {5,15}, 
{5,16} 

{5,9,10},  {5,9,11},  {5,9,12}, 
{5,10,11},  {5,10,12}, 
{5,11,12} 

Xg  ©  X^  ©  Xg  ©  /)  ©  1 

{1,6},  {2,6},  {3,6},  {4,6}, 
{6,13},  {6,14},  {6,15}, 
{6,16} 

{6,9,10},  {6,9,11},  {6,9,12}, 
{6,10,11},  {6,10,12},  {6,11,12} 

Xg  ©  Xg  ©  Xg  ©  /)  ©  1 

{1,7},  {2,7},  {3,7},  {4,7}, 
{7,13},{7,14},{7,15}, 
{7,16} 

{7,9,10},  {7,9,11},  {7,9,12}, 
{7,10,11},  {7,10,12},  {7,11,12} 

Xg  ©  Xg  ©  X7  ©  /)  ©  1 

{1,8},  {2,8},  {3,8},  {4,8}, 
{8,13},  {8,14},  {8,15}, 
{8,16} 

{8,9,10},  {8,9,11},  {8,9,12}, 
{8,10,11},  {8,10,12},  {8,11,12} 

Xg  ©XjQ  ©Xjj  ©C 

- 

{5,6,12},  {5,7,12},  {5,8,12}, 
{6,7,12},  {6,8,12},  {7,8,12} 

Xg  ©  X,Q  ©  Xj2  ©  C 

- 

{5,6,11},  {5,7,11},  {5,8,11}, 
{6,7,11},  {6,8,11},  {7,8,11} 

Xg  ©  X,  J  ©  Xj2  ©  C 

- 

{5,6,10},  {5,7,10},  {5,8,10}, 
{6,7,10},  {6,8,10},  {7,8,10} 

XjQ  ©Xjj  ©Xj2  ©C 

- 

{5,6,9},  {5,7,9},  {5,8,9},  {6,7,9}, 
{6,8,9},  {7,8,9} 

Xg  ©Z) 

- 

{6,7,8} 

Xg  ©/) 

- 

{5,7,8} 

X7  ©Z) 

- 

{5,6,8} 

Xg  ©Z) 

- 

{5,6,7} 

Table  6.  Maxterms  and  Superpolys  of  the  EO  Keystream  Generator 


The  author  ended  up  with  twelve  superpolys/linear  coefficients,  depending 
on  the  following  unknown  variables: 

Observation  6.2:  The  author  was  forced  to  use  variables 
x5,Xg,x7,x8,x9,Xjo,Xjj,Xj2  as  uoknowns  since  they  are  the  only  variables  that 
appear  as  variables  in  the  superpolys.  By  implementing  a  chosen  plaintext 
attack,  the  attacker  can  determine  their  values. 
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This  is  a  useful  observation,  and  in  addition,  the  terms  that  appear  in  the  2'^'^  and 
3'^'^  columns  of  the  table  do  not  have  to  be  assumed  known,  but  rather  only  need 
to  be  manipulatable. 

The  program  was  executed  several  times,  for  testing  purposes,  on  an  Intel 
Pentium  4  processor  with  a  CPU  of  2.80  GHz  and  1GB  of  RAM,  and  the  results 
were  produced  in  a  mean  time  of  8.03  seconds,  consuming  5.25  MB  of  memory. 

2.  Online  Phase 

Using  the  encryption  function  formed  by  the  multivariable  polynomial 
(Appendix  A)  after  the  processing  phase,  the  attacker  obtained  all  the  possible 
linear  co-factors  (superpolys).  From  the  specific  encryption  function  of  the 
multivariable  polynomial  (obtained  after  the  attacker  masquerades  as  an 
authorized  user  and  gains  access  to  the  security  protocol)  the  attacker  will 
eventually  succeed  in  gathering  twelve  unique  and  independent  equations: 


x^@b  =  a^, 

(6.1) 

x^@b  =  a^, 

(6.2) 

II 

© 

(6.3) 

II 

© 

(6.4) 

Xg  ©  X7  ©  Xg  ©  /)  ©  1  =  , 

(6.5) 

Xj  ©  X7  ©  Xg  ©  /)  ©  1  =  ag , 

(6.6) 

Xg  ©  Xg  ©  Xg  ©  /)  ©  1  =  , 

(6.7) 

Xg  ©  Xg  ©  X7  ©  /)  ©  1  =  flg  , 

(6.8) 

Xg  © XjQ  © Xjj  © c  =  a, , 

(6.9) 

Xg  ©  x,Q  ©  Xj2  ©  c  =  ajQ , 

(6.10) 

Xg  ©X,j  ©Xj2  ©C  =  fljj. 

(6.11) 

XjQ  ©Xjj  ©Xj2  ©C  =  aj2. 

(6.12) 
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where  a,  e  {0,1}  and  i  e  {1,...,12}  are  considered  known  bits. 

The  above  system  of  equations  is  an  over-defined  system  of  equations  on 
variables The  solution  we  obtained  is: 


Xj  =  ©  Z) , 

(6.13) 

x^=a2@b , 

(6.14) 

Xj  =a2@b , 

(6.15) 

© 

II 

(6.16) 

=  Gg  ©ajQ  ©fljj. 

(6.17) 

=  Qq  ©^10  ©aj2. 

(6.18) 

flg  ©  fljj  ©  a^2  ®  ^  ’ 

(6.17) 

ajQ  ©  j  ©  a^2  ®  ^  ’ 

(6.18) 

Remark.  It  is  worth  mentioning  that  even  if  not  all  these  assumptions  are 
made,  it  is  still  possible  to  use  this  approach  to  find  useful  information  about  the 
output  bits  of  the  LFSRs. 

D.  ANALYSIS  OF  THE  RESULTS 

Below  is  our  main  contribution  in  this  thesis. 

Theorem  6.3:  If  an  attacker  has  unauthorized  access  to  the  encryption 
protocol  and  can  use  the  encryption  machine  as  an  oracle  so  that  he  can 
manipulate  some  of  the  bits  of  the  LFSRs,  and  by  knowing  the  output  bits  of  the 
EO  keystream  generator  he  succeeds  in  recovering  the  outputs  of  the  LFSRs  at 
any  clock  tick. 

Proof: 

In  section  C  of  this  chapter  we  proved  that  assuming  that  an  attacker  has 
access  to  the  variables  of  the  four  LFSRs  at  clock  time  t,  t+1,  t+2  and  t+3  and  the 
output  bit  streams  of  EO  he  can  compute  the  output  of  the  four  LFSRs  at  clocks 
ticks  t+^  and  t+2. 
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By  continuing  this  process  in  reverse  order,  it  is  easy  to  observe  that  one  can 
compute  the  output  of  the  four  LFSRs  at  clock  ticks  t  and  t+1,  by  only  having 
access  and  tweaking  the  variables  and  the  output  of  EO  at  clock  tick  t-1. 

Taking  a  step  back  in  time  at  another  one  clock,  an  attacker  may  explicitly  find 
that  for  the  output  of  the  LFSRs  at  clocks  t,  he  only  has  to  have  further  access 
and  tweak  the  variables  and  the  output  bits  of  EO  at  clock  t-2,  and  so  on. 

The  theorem  is  proved.  ■ 

Further  knowledge  about  the  insight  of  EO  is  needed  to  correlate  the 
output  of  the  LFSRs  and  the  encryption  key  placed  in  EO.  A  difficulty  one  may 
have  in  completely  revealing  the  encryption  key  is  that  in  accordance  with  Lu  and 
Vaudenay  in  [1],  the  EO  keystream  generator  produces  limited  segments  of 
keystream  and  after  2745  bits,  the  generator  is  reinitialized.  However,  this  is  not 
explicitly  stated  in  the  Bluetooth  core  specifications  document. 

E.  COMPLEXITY 

The  complexity  in  this  section  is  measured  in  operations  steps. 

1.  Preprocessing  Phase 

Let  d  be  the  degree  of  the  encryption  function  f  and  n  be  the  number  of 
variables  of  f.  During  the  preprocessing  phase,  an  attacker  is  trying  to  find  as 
many  maxterms  as  possible.  From  this  phase,  an  attacker  may  obtain  n+1  output 
bits  from  the  LFSRs  and  some  constant  terms.  The  amount  of  work  needed, 
based  on  Zhang  et  al.  in  [5],  is 

The  attacker  also  needs  to  compute  the  inverse  of  the  matrix  of  linear  relations 
matrix.  This  requires  approximately  operations  and  as  a  result,  an  upper  bound 
from  this  phase  is: 

n{n  +  l)2‘^^^  +n^ 
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2. 


Online  Phase 


For  the  online  phase,  where  one  needs  to  solve  the  system  of  linear 
equations  implementing  a  chosen  plaintext  attack,  ' evaluations  of  the  EO 
encryption  function  are  needed,  and  the  matrix  multiplication  which  takes 
operations  needs  to  be  performed.  Again,  by  drawing  on  the  analysis  by 
Zhang  et  al.  [5],  the  complexity  is  of  the  following  form: 

n2  +n 

Therefore,  the  overall  complexity  from  both  phases  is: 

n{n  +  \)2‘‘-'  +n^  +n2‘^-'  +n^  = 

n^2‘‘-' +2n2‘‘-' +n^ +n^  (6.19) 

which  is  equivalent  to  *  +n^). 

In  the  case  of  Bluetooth,  with  n  =  n, +^2 +«3 +«4  =128  (where  is  the  length  of 
the  first  LFSR,  n2is  the  length  of  the  second  LFSR,  and  so  on)  and  d=4,  we 
determine  that  the  attack  on  EO  requires  2246656  «  2^"  bit  operations. 

The  number  of  operations  needed  for  the  computational  process  is  considerable 
less  than  of  similar  algebraic  attack  (2^'‘^*bit  operations  needed  [3])  and 
correlation  attack  (2^’ bit  operations  needed  [2])  types,  which  we  described  in 
Chapter  III.  However,  our  cube-type  attack  is  limited  to  the  LFSRs’  output  at  any 
clock  tick. 
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VII.  CONCLUSION 


We  can  only  see  a  short  distance  ahead,  but  we  can  see  plenty 

there  that  needs  to  be  done. 

Alan  Turing  (1912-1954) 

A.  CONTRIBUTION 

The  main  contribution  of  this  thesis  is  as  follows: 

If  an  attacker  has  unauthorized  access  to  the  encryption  protocol,  the 
attacker  can  use  the  encryption  machine  as  an  oracle  so  that  he  can  manipulate 
some  of  the  bits  of  the  LFSRs,  and  knows  the  output  bits  of  the  EO  keystream 
generator,  he  can  find  the  outputs  of  the  individual  LFSRs  at  any  clock  tick. 

In  this  study,  we  investigated  the  current  types  of  attacks,  like  correlation 
and  algebraic  attacks,  used  in  wireless  systems.  He  focused  on  a  new 
(introduced  in  2008)  and  promising  type  of  algebraic  attack,  namely  the  cube 
attack.  We  implemented  the  cube  attack  in  a  wireless  system,  namely  Bluetooth. 
We  modeled  the  encryption  function  of  EO  and  automated  the  process  of  the 
cube  attack  on  EO.  This  included  the  factorization  process  (preprocessing  phase) 
where  an  attacker  finds  as  many  maxterms  as  possible.  In  the  actual  attacking 
phase,  the  attacker  solves  the  system  of  linear  equations  through  a  chosen 
plaintext  attack  and  computes  useful  information  about  the  cryptosystem.  The 
number  of  operations  needed  for  the  computational  process  is  of  order  2^"  bit 
operations  and  is  considerably  less  than  that  of  similar  algebraic  types  of  attacks, 
but  is  limited  in  finding  the  output  of  the  LFSRs  at  any  clock  cycle. 

A  useful  observation  is  the  following.  We  have  all  these  different  types  of 
attackers.  Regardless  of  whether  the  attacker  is  a  blackhat  or  greyhat  or  a 
whitehat  hacker,  a  sufficient  level  of  sophistication  is  required  for  the  attacker  to 
succeed  on  the  implementation  of  the  cube-type  attack.  A  mixture  of  man-in-the- 
middle  attack  and  a  chosen  plaintext  attack,  knowledge  of  the  encryption  function 
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of  the  target  machine,  and  knowledge  of  the  encryption  protocol  that  is  in  use, 
comes  to  take  place,  thus  increasing  the  difficulty  of  the  attack. 

B.  FUTURE  DIRECTIONS 

Further  studies  may  improve  many  aspects  of  this  thesis.  The  most 
important  question  that  needs  to  be  answered  is  to  determine  how  an  attacker 
can  recover  the  encryption  key  of  EO  after  learning  the  output  bits  of  every  LFSR 
that  this  study  provides.  Further  investigation  of  the  structure  of  EO  given  in  [28] 
is  required  to  correlate  the  internal,  initial  state  of  the  LFSRs,  like  the  pure  key, 
corresponding  address,  random  number  and  the  clocking  bits  that  feed  into  the 
LFSRs  during  their  initialization  phase,  and  the  output  bits  per  clock  tick. 

Building  on  these  results,  the  next  stage  of  research  is  to  validate  our 
integration  of  the  cube-type  attack  into  the  Bluetooth  encryption  protocol.  As 
demonstrated  in  this  research  as  well  as  other  research,  one  needs  to  be  able  to 
understand  and  formally  evaluate  the  strengths  of  a  given  cryptosystem  and  be 
able  to  evaluate  the  implementation  of  the  cryptosystem  to  ensure  that  there  are 
no  flaws  in  the  application  of  the  cryptosystem.  The  cryptosystem  and  the 
protocol  it  uses  may  be  good,  but  if  poorly  implemented  they  will  most  likely  be 
untrustworthy. 

Given  the  ubiquity  of  Wi-Fi  and  emerging  adoption  of  Wi-Max,  it  is  evident 
that  more  work  needs  to  be  done  to  understand  the  trustworthiness  of  wireless 
systems  in  terms  of  the  strength  of  the  underlying  encryption  protocols.  These 
systems  use  different  encryption  algorithms  and  different  ciphers  than  EO.  One 
could  follow  our  steps  to  implement  the  cube-type  attack,  like  modeling  the 
encryption  function  of  these  systems,  and  then  execute  the  preprocessing  phase 
and  online  phase  and  observe  how  effective  this  attack  may  be. 
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APPENDIX  A.  ENCRYPTION  FUNCTION  OF  EO  IN  FULL 

EXPANSION 


From  Equation  (5.31),  after  doing  the  algebraic  multiplication  and  addition,  we 
end  up  with  the  detailed  encryption  function.  We  did  not  use  any  tool  to  gain  the 
result,  since  the  polynomial  was  not  of  high  degree  and  the  number  of  variables 
was  manageable. 

0=a®b®c®d  ®x^x^a®x^xj)®x^xf®x^x^d  © 

x^XjQ  ®x^Xjb  ®x^XjC  ®x^x,d  ®x^x^a  ®x^x^b  ®x^XgC  ®x^x^d  © 

x^XjO  ®x^Xjb  ®x^XjC  ®X(pc^d  ©x^Jt^a  ®x^x^  ®x^x^c  ®x^Xf^d  © 

XjXgO  ®XjXgb  ®XjXf,c  ®XjXgd  ®x^Xfpc^x^  ®x^a  ®x^c  ®x^d  ®x^ab  ®x^bc  ®xjbd  © 
xfi  ©Xf,c  ®X(^d  ®x^ab  ®xjx  ®xjxi  ®Xja  ®XjC  ®Xjd  ®x,ab  ®x-,bc  ®x^bd  © 
x^a®XgC®Xf^d  ®x^ab®xjx®x^bd  ©x,  ©x^  ©x,  ©X4  © 

X1X5  ©X|Xj  ©XjX;  ©X,X^  ©X2X5  ©XjXj  ©XjXj  ®X2X^  © 

XjXj  ©x,Xf,  ©x,X7  ©x,;^^  ©X4X5  ©X4Xf,  ©X4X7  ©X4X^  © 

x^x^b  ®x\Xf^b  ®x\Xjb  ®x\Xgb  ©X2X5Z?  ®xpcj)  ©X2X7Z?  ©X2X^Z?  © 

X3X5Z7  ©XjXgZ?  ©X^X^Zj  ©X,X^Z7  ©X4X5Z7  ©X4Xf,Z7  ©X4X2Z7  ©X4X^Z?  © 

X^XjXg  ©X1X5X,  ©XjXjX^  ©XjXjXj  ©XiXjX^  ©X^XjXg  ©X2X5X2  ©X^XjX^  ©X^XjX;  ©X^XyX^  © 

X3X5X5  ©X3X5X2  ©x,X5;<^  ©x^XjX;  ©x^X;^;^  ©X4X5X5  ©X4X5X3  ©X4X5X^  ©X4X5X2  ©X4X2X^  © 

x^b  ©X|qZ>  ©X|  p  ®\p  ®x^xfb  ®XyXfb  ®XfX^cb  ®x^x^cb  © 

x^qXjcZ?  ©X|„Xg(i>  ©XioXycZ?  ®x^fpcfb  ©x,  ^xfb  ®x^yXffb  ©x,  ^x,cb  ©x,  ^xfb  © 

x^2X^cb  ®x^2X(fb  ®x^2XJcb  ®x^2X^cb  ®x^f  ®x^^c  ®x^c  ©x,.^c  © 

XiqXjC  ©X|0^f,C  ©XiqX^C  ©X|^C  ©X|  jXjC  ©XjjXjC  ©X|  jX^C  ©X|  jX^C  ©X,2X5C  ©X|2Xf,C  ©X,2X3C  ©X|2X^C  © 

XpC^Xfp  ©Xr'f's^C  ®XyX^X^  ©XP^'e^C  ©XjXgX^jC  ®x^x^  © 

XiqXjXjC  ©X10X5X7C  ©XioXjX^c  ©XiqXjX^c  ©x,oXgX^c  ®X2fPCiX/;  © 

X|  iXjXjC  ©jq  jXjXjC  ©X|  iXjX^C  ©X|  iXjXjC  ©X|  iXjX^C  ©XjjXjX^C  © 
xi2X5XjC  ©x)2X5X,c  ®x^2X^x^c  ©XjjX^jX^c  ©xi2Xj;v^c  ®x^2X,x^  © 

X^O  ©X>X[1  ®xpc^2  ®  JCl0^2  ®>XnXy2  © 

X^qXj  ©XjXJflXf,  ©X^qX,  ®XgX,gXg  ©XjXJiXj  ©XjXijXj  ©XjXijXj  ©X^XijX^  © 
xpc^2^^  ®X^2^f^  ®xpc^2^  ®>X)Xi2Xf,  ©X^qXijXj  ©XjqXijXj  ©XiqXijX;  ®X2fPC^^X^  © 


65 


X,X,qX5^)  ©X,X|QXg&  ©X,X,(,X7&  ©XgXjoXgft  ©X,X,jX5&  ©XgXjjXgft  ©X^XijXyft  ©XgXjjXgft  © 
X^XjjXjft  ©X^XijXgft  ©X^XjjX^ft  ©X<,X,2X8&  ©XjoXjjX5&©XjoXjjXg&  ©XjqXjjX^^  ©Xj(,X,,X8&  © 
X10X12X5&  ©  XjoXj2Xg&  ©  XjqXj2X7&  ©  XjqXj2X8&  ©  X,  ,Xj2X5&  ©  X,  ]Xj2Xg&  ©  X,  yXyPi-^b  ©  Xj  iXj2X8&  © 

(XgXjflXjXg  ©X^XjQXjXy  ©X^XjflXjXg  ©XgXjflXgX,  ©XgXjoXgJt^  ©X^XiQXyJt^  © 

X^XjjXjXg  ©XgXjjXjXy  ©X^XjjXjXg  ©XciXjjXgXy  ©XgXijXgXg  ©XjXjjX^Xg  © 

X,X, 2X5X5  ©X5Xj2X5X7  ®XgX^2^^Xg  ©X5Xj2X5X7  ©X5Xj2X5X8  ® X)X^2X2Xg  © 

XjflXjjXjXg  ©XjflXjjXjXy  ©XjqXjjXjXj  ©XjflXjjXgX^  ©XjflXjjXgXg  ©XjflXjjX^Xg  © 

^10^12-^5^6  ©XioXj2X5X7  ©Xjf,Xj2X5X8  ©XjqX, 2X5X7  ©X,5Xj2X5Xg  ©Xj5Xj2X7X8  © 

XjjXj2X5X5  ©XjjX, 2X5X7  ©XjjXj2X5X8  ©XjjXj2X5X7  ©X,jX, 7X5X3  ©XjjX, 7X7X3)© 

Xj3  ©Xj4  ©Xj5  ©X,5  ©X,3X5  ©Xj3X5  ©Xj3X7  ©Xj3X3  ©Xj4X5  ©Xj4X5  ©Xj4X7  ©Xj4X3  © 

Xj5X5  ©Xj5X5  ©Xj5X7  ©X,5X3  ©X,5X5  ©Xj5X5  ©Xj5X7  ©Xj5X3  ©Xj3X5&  ©Xj3X5&  © 

Xj3X76  ©  XjjXgft  ©  Xj4X5&  ©  Xj4Xg&  ©  Xj4X7&  ©  x^^Xgb  ©  Xj5X5&  ©  Xj5X5&  ©  x^^x^b  @x^^Xgb® 
Xj5X5&©Xj5X5&©X,5X7&©X,5X8&©X, 3X5X5  ©X, 3X5X7  ©Xj3X5X3  ©Xj3X5X7  ©X, 3X5X3  ©X, 3X7X3  © 
Xj4X5X5  ©Xj4X5X7  ©Xj4X5X8  ©Xj4X5X7  ®Xi^X(^Xg  ®  X^^X^Xg  © 

XjgXgXg  ©X, 5X5X7  ©Xj5X5X8  ©Xj5X5X7  ©Xj5X5X8  ® X^gX^Xg  © 

Xj5X5X5  ©Xj5X5X7  ©XjgXjXg  ©Xj5X5X7  ©XjgXgJt^  ® X^^X^Xg  © 

X5X5X7&©X5X5X3&©X5X7X3&©X5X7J(^&©X5X5  ©X5X7  ©X5X3  © 

X5X7  ©X5X3  ©X7X3  ©X5  ©X5  ©X7  ©X3 


Note:  Glossary  of  EO  keystream  generator  is  provided  in  Appendix  D. 


APPENDIX  B.  MAPLE  12 


Working  in  the  Maple  12  environment  and  after  running  the  detailed 
program,  we  found  twelve  superpolys,  including  the  unknown  variables  of  the 
four  LFSRs  for  two  consecutive  clock  times.  The  program  was  executed  several 
times  for  testing  purposes  on  an  Intel  Pentium  4  processor  with  a  CPU  of  2.80 
GHz  and  1  GB  of  RAM,  and  the  results  were  produced  in  a  mean  time  of  8.03 
seconds,  consuming  5.25  MB  of  memory. 

The  structure  of  the  program  is  simple.  Using  methods  prod2  and  prod3, 
we  take  the  integers  that  represent  the  variables  of  the  encryption  function  and 
concatenate  them  to  create  products  of  variables.  The  part  method  takes  as  an 
input  any  product  of  variables  and  returns  its  remainder  and  the  cofactor 
(superpoly).  The  ptab  method  stores  the  results  in  a  table.  Then  we  iterate 
through  the  table  and  output  every  unique  linear,  nonconstant  co-factor  and  their 
corresponding  products  (maxterms). 

In  order  to  run  this  program  one  has  to  open  a  new  worksheet  in  the 
Maple  12  environment  and  copy  every  paragraph  that  starts  with  the  symbol  “  >” 
and  ends  with  symbol  of  the  following  Maple  code  along  with  its  contents  and 
paste  it  to  the  worksheet.  Then  he  or  she  has  to  press  symbol  “HT  from  the 
taskbar  to  compile  the  code  and  continually  do  this  process  up  to  the  last  line  of 
code.  Comments  starting  with  the  symbol  7/”  must  not  be  entered  in  the 
worksheet  as  it  will  cause  an  error. 

MAPLE  CODE 

//  The  encryption  function  of  EO  in  Algebraic  Normal  Form  in  Maple  syntax 

>  anf  :=a  +  b  +  c  +  d  +  X5*X6*a  +  X5*X6*b  +  X5*X6*c  + 

X5*X6*d  +  X5*X7*a  +  X5*X7*b  +  X5*X7*c  +  X5*X7*d  +  X5*X8*a  + 

X5*X8*b  +  X5*X8*c  +  X5*X8*d  +  X6*X7*a  +  X6*X7*b  +  X6*X7*c  + 

X6*X7*d  +  X6*X8*a  +  X6*X8*b  +  X6*X8*c  +  X6*X8*d  +  X7*X8*a  + 
X7*X8*b  +  X7*X8*c  +  X7*X8*d  +  X5*X6*X7*X8  +  X5*a  +  X5*c  + 
X5*d  +  X5*a*b  +  X5*b*c  +  X5*b*d  +  X6*a  +  X6*c  +  X6*d  + 
X6*a*b  +  X6*b*c  +  X6*b*d  +  X7*a  +  X7*c  +  X7*d  +  X7*a*b  + 

X7*b*c  +  X7*b*d  +  X8*a  +  X8*c  +  X8*d  +  X8*a*b  +  X8*b*c  + 
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X8*b*d  +  XI  +  X2  +  X3  +  X4  +  X1*X5  +  X1*X6  +  X1*X7  +  X1*X8 

+  X2*X5  +  X2*X6  +  X2*X7  +  X2*X8  +  X3*X5  +  X3*X6  +  X3*X7  + 

X3*X8  +  X4*X5  +  X4*X6  +  X4*X7  +  X4*X8 

+  Xl*X5*b  +  Xl*X6*b  +  Xl*X7*b  +  Xl*X8*b  +  X2*X5*b  +  X2*X6*b 

+  X2*X7*b  +  X2*X8*b  +  X3*X5*b  +  X3*X6*b  +  X3*X7*b  +  X3*X8*b 

+  X4*X5*b  +  X4*X6*b  +  X4*X7*b  +  X4*X8*b  +  X1*X5*X6  + 

X1*X5*X7  +  X1*X5*X8  +  X1*X6*X7  +  X1*X6*X8  +  X1*X7*X8  + 
X2*X5*X6  +  X2*X5*X7  +  X2*X5*X8  +  X2*X6*X7  +  X2*X6*X8  + 

X2*X7*X8  +  X3*X5*X6  +  X3*X5*X7  +  X3*X5*X8  +  X3*X6*X7  + 

X3*X6*X8  +  X3*X7*X8  +  X4*X5*X6  +  X4*X5*X7  +  X4*X5*X8  + 

X4*X6*X7  +  X4*X6*X8  +  X4*X7*X8  +  X9*b  +  X10*b  +  Xll*b  + 
X12*b  +  X9*X5*c  +  X9*X6*c  +  X9*X7*c  +  X9*X8*c  +  X10*X5*c  + 
X10*X6*c  +  X10*X7*c  +  X10*X8*c  +  Xll*X5*c  +  Xll*X6*c  + 

Xll*X7*c  +  Xll*X8*c  +  X12*X5*c  +  X12*X6*c  + 

X12*X7*c  +  X12*X8*c  +  X9*X5*c*b  +  X9*X6*c*b  +  X9*X7*c*b  + 
X9*X8*c*b  +  X10*X5*c*b  +  X10*X6*c*b  +  X10*X7*c*b  + 

X10*X8*c*b  +  Xll*X5*c*b  +  Xll*X6*c*b  +  Xll*X7*c*b  + 

Xll*X8*c*b  +  X12*X5*c*b  +  X12*X6*c*b  +  X12*X7*c*b  + 

X12*X8*c*b  +  X9*X5*X6*c  +  X9*X5*X7*c  +  X9*X5*X8*c  + 

X9*X6*X7*c  +  X9*X6*X8*c  +  X9*X7*X8*c  +  X10*X5*X6*c  + 

X10*X5*X7*c  +  X10*X5*X8*c  +  X10*X6*X7*c  +  X10*X6*X8*c  + 
X10*X7*X8*c  +  Xll*X5*X6*c  +  Xll*X5*X7*c  +  Xll*X5*X8*c  + 

Xll*X6*X7*c  +  Xll*X6*X8*c  +  Xll*X7*X8*c  +  X12*X5*X6*c  + 

X12*X5*X7*c  +  X12*X5*X8*c  +  X12*X6*X7*c  +  X12*X6*X8*c  + 

X12*X7*X8*c  +  X9*X10  +  X9*X11  +  X9*X12  +  X10*X11  + 

X10*X12  +  X11*X12  +  X9*X10*X5  +  X9*X10*X6  +  X9*X10*X7  + 

X9*X10*X8  +  X9*X11*X5  +  X9*X11*X6  +  X9*X11*X7  +  X9*X11*X8  + 
X9*X12*X5  +  X9*X12*X6  +  X9*X12*X7  +  X9*X12*X8  +  X10*X11*X5 
+  X10*X11*X6  +  X10*X11*X7  +  X10*X11*X8  +  X10*X12*X5  + 
X10*X12*X6  +  X10*X12*X7  +  X10*X12*X8  +  X11*X12*X5  + 

X11*X12*X6  +  X11*X12*X7  +  X11*X12*X8  +  X9*X10*X5*b  + 

X9*X10*X6*b  +  X9*X10*X7*b  +  X9*X10*X8*b  +  X9*Xll*X5*b  + 

X9*Xll*X6*b  +  X9*Xll*X7*b  +  X9*Xll*X8*b  +  X9*X12*X5*b  + 
X9*X12*X6*b  +  X9*X12*X7*b  +  X9*X12*X8*b  +  X10*Xll*X5*b  + 

X10*Xll*X6*b  +  X10*Xll*X7*b  +  X10*Xll*X8*b  +  X10*X12*X5*b  + 

X10*X12*X6*b  +  X10*X12*X7*b  +  X10*X12*X8*b  +  Xll*X12*X5*b  + 

Xll*X12*X6*b  +  Xll*X12*X7*b  +  Xll*X12*X8*b  +  X9*X10*X5*X6  + 

X9*X10*X5*X7  +  X9*X10*X5*X8  +  X9*X10*X6*X7  +  X9*X10*X6*X8  + 
X9*X10*X7*X8  +  X9*X11*X5*X6  +  X9*X11*X5*X7  +  X9*X11*X5*X8  + 

X9*X11*X6*X7  +  X9*X11*X6*X8  +  X9*X11*X7*X8  +  X9*X12*X5*X6  + 

X9*X12*X5*X7  +  X9*X12*X5*X8  +  X9*X12*X6*X7  +  X9*X12*X6*X8  + 

X9*X12*X7*X8  +  X10*X11*X5*X6  +  X10*X11*X5*X7  + 

X10*X11*X5*X8  +  X10*X11*X6*X7  +  X10*X11*X6*X8  + 

X10*X11*X7*X8  +  X10*X12*X5*X6  +  X10*X12*X5*X7  + 

X10*X12*X5*X8  +  X10*X12*X6*X7  +  X10*X12*X6*X8  + 


68 


X10*X12*X7*X8  +  X11*X12*X5*X6  +  X11*X12*X5*X7  + 

X11*X12*X5*X8  +  X11*X12*X6*X7  +  X11*X12*X6*X8  + 

X11*X12*X7*X8  +  X13  +  X14  +  X15  +  X16  +  X13*X5  +  X13*X6  + 
X13*X7  +  X13*X8  +  X14*X5  +  X14*X6  +  X14*X7  +  X14*X8  + 

X15*X5  +  X15*X6  +  X15*X7  +  X15*X8  +  X16*X5  +  X16*X6  + 

X16*X7  +  X16*X8  +  X13*X5*b  +  X13*X6*b  +  X13*X7*b 
+  X13*X8*b  +  X14*X5*b  +  X14*X6*b  +  X14*X7*b  +  X14*X8*b  + 
X15*X5*b  +  X15*X6*b  +  X15*X7*b  +  X15*X8*b  +  X16*X5*b  + 
X16*X6*b  +  X16*X7*b  +  X16*X8*b  +  X13*X5*X6  + 

X13*X5*X7  +  X13*X5*X8  +  X13*X6*X7  +  X13*X6*X8  +  X13*X7*X8  + 
X14*X5*X6  +  X14*X5*X7  +  X14*X5*X8  +  X14*X6*X7  +  X14*X6*X8  + 
X14*X7*X8  +  X15*X5*X6  + 

X15*X5*X7  +  X15*X5*X8  +  X15*X6*X7  +  X15*X6*X8  +  X15*X7*X8  + 
X16*X5*X6  +  X16*X5*X7  +  X16*X5*X8  +  X16*X6*X7  +  X16*X6*X8  + 
X16*X7*X8  +  X5*X6*X7*b  +  X5*X6*X8*b  +  X5*X7*X8*b  + 

X6*X7*X8*b  +  X5*X6  +  X5*X7  +  X5*X8  +  X6*X7  +  X6*X8  + 

X7*X8  +  X5  +  X6  +  X7  +  X8 ; 

//  prod2  &  prods  take  integers  and  return  a  product  of  those  X  variables 

>  prod2  :=  (n,m)  ->  cat(X,n)  *  cat(X,m); 

>  prod3  :=  (n,m,o)  ->  cat(X,n)  *  cat(X,m)  *  cat(X,o); 

//  parts  takes  a  product  p  and  returns  a  list  of  2  parts:  remainder  and  cofactor 

>  parts  :=  proc  (  p  )  global  anf;  local  1,  z,  t; 

1  :=  coeffs  (  algsubs (  p  =  z,  anf  ),  z,  't'  ); 

if  nops([l])  =  1  then  [1,0]; 

else  if  t[l]  =1  then  [  1  ]  ; 

else  [  1 [2] ,  1 [1]  ]  ; 

end  if;  end  if;  end  proc; 


//  set  up  table  "ptab"  of  these  parts,  indexed  by  the  integers 

>  ptab  :=  table  0; 

>  for  i  to  15  do  for  j  from  i+1  to  16  do 

ptab[i,j]  :=  parts (  prod2(i,j)  )  ; 

end  do;  end  do; 

>  for  i  to  14  do  for  j  from  i  +  1  to  15  do  for  k  from  j  +  1  to 
16  do 

ptab[i,j,k]  :=  parts (  prod3(i,j,k)  )  ; 

end  do;  end  do;  end  do; 

>  degree (%) ; 

>  degree (%) ; 

>  for  i  in  indices (ptab)  do 

if  (  degree  (  ptab [op  (i) ]  [2 ] )  =  1  )  then 


69 


end 


print(i)  ;print(ptab[op(i)  ]  [2]  )  ;print(ptab[op(i)  ]  [1]  )  ; 
if;  end  do; 

>  whattype (indices (ptab) ) ; 

>  linfac  :=  select  (  i  ->  (  degree  (  ptab  [op  (i)  ]  [2  ]  )  =1  ), 

[indices (ptab) ]  )  : 

>  nops (linfac) ; 

>  ptab[op(linfac[l])][2]; 

>  sort([seq(  ptab[op(i)][2],  i  in  linfac)]); 


>  linfacs  :=  convert (%,  set)  ; 

>  linfacs  :=  convert ( linfacs ,  list); 

>  nops (linfacs)  ; 

>  for  fac  in  linfacs  do 
print (fac) ; 

for  i  in  linfac  do 

if  (  ptab [op  (i) ]  [2 ]  =  fac  )  then  print  (i);  end  if; 
end  do; 
end  do; 


Note:  In  order  for  one  to  add  comments  to  the  worksheet  from  the  Insert  menu  of 
the  taskbar,  one  has  to  select  Paragraph,  and  then  select  Before  Cursor  or  After 
Cursor.  A  new  paragraph  is  inserted  and  the  cursor  is  moved  to  the  new  blank 
line.  From  there,  one  can  enter  the  paragraph. 
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APPENDIX  C.  PROGRAM  OUTPUT 


Maple  12  works  on  Windows  (2000,  2003,  XP,  Vista),  Macintosh,  UNIX, 
Linux  and  Solaris  environments.  The  developers’  system  recommendations 
include  the  following: 

■  CPU:  AMD  X86_64/ 1  GHz/Intel  Xeon/  Intel  64 

■  RAM:  512MB  (at  least) 

■  Hard  disk:  1  GB 


The  program  outlined  in  Appendix  B  was  executed  on  an  Intel  Pentium  4 
processor  with  a  CPU  of  2.80  GHz  and  1  GB  of  RAM  in  a  Windows  XP 
environment.  The  output  of  the  program  is  in  the  following  paragraph  where  the 
linear  term  without  any  bracket  represents  the  superpoly  and  the  terms  inside  the 
brackets  represent  the  corresponding  index  of  the  variables  of  the  corresponding 
superpoly.  For  example,  the  superpoly  x^®b  has  only  one  maxterm,  x^x^x^, 

whereas  the  superpoly  Xg  ©Xji  ©Xjj  ®c  has  as  maxterms  the  terms 


OUTPUT 


X5  +  b 
[6,  7,8] 

X6  +  b 
[5,7,8] 

X7  +  b 
[5,  6,8] 
b  +X8 
[5,6,7] 

XU  +  X12  +  X9  +  c 
[5,  6,10] 

[6,  7,10] 

[5,  7,10] 

[6,  8,10] 

[5,  8,  10] 

[7,  8,10] 
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XI 1  +X12  +  c  +  XIO 
[7,  8,9] 

[6,  8,9] 

[5.6.9] 

[6.7.9] 

[5.7.9] 

[5,  8,9] 

X9  +  c  +  XIO  +  XI 1 
[5,  8,12] 

[5,  6,12] 

[5,  7,12] 

[6,  8,12] 

[7,  8,12] 

[6,  7,  12] 

c  +  XIO  +  X12  +  X9 
[6,  7,11] 

[7,  8,11] 

[6,  8,11] 

[5,  8,11] 

[5,  7,11] 

[5,  6,11] 

\+  X6  +  X7  +X8  +  b 

[1.5] 

[5,  11,  12] 

[5,  10,  12] 

[5,  16] 

[5,  9,11] 

[5.10.11] 

[5.13] 

[3.5] 

[2.5] 

[5,  9,12] 

[5,15] 

[5,  9,10] 

[4.5] 

[5,  14] 

\+X6+X8  +  b  +  X5 
[7,  10,  12] 

[7,  16] 

[7,  9,11] 

[7,  9,12] 

[7,  9,10] 

[7.10.11] 

[7.11.12] 

[7.13] 
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[7.15] 

[4.7] 

[2.7] 

[3.7] 

[7,  14] 

[1.7] 

\+X7  +X8  +  h+  X5 

[6, 10,  11] 

[1,6] 

[6,  9,12] 

[6,11,12] 

[6. 16] 

[6,  9,10] 

[6,15] 

[2,6] 

[6.13] 

[4.6] 

[3.6] 

[6. 14] 

[6,  10,  12] 

[6,  9,11] 

\  +  b  +  X5  +  X6  +X7 

[4.8] 

[3.8] 

[8,  10,  12] 

[8,  9,11] 

[8,  16] 

[1.8] 

[8,  9,12] 

[8.15] 

[8,  14] 

[8,13] 

[8,  9,10] 
[8,10,11] 
[8,11,12] 

[2,8] 
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APPENDIX  D.  GLOSSARY  OF  BLUETOOTH  KEY  STREAM 

GENERATOR  EO 


COF  . 

OR..., 

XOR. 

LSFR 

CLK.. 


. Encryption  Key 

. Encryption  Offset  Number 

. Bitwise  OR 

. Bitwise  Exclusive  OR 

. Linear  Feedback  Shift  Register 

. Master  Clock  Bits 

Output  bit  of  the  LFSR^^X  clock-time  t 


4 

Jr  ■■■■■■■■■Summation  outcome  (integer)  from  the  output  bits  of  the 

i-l 

four  LFSRs  at  clock-time  t 


z 


t 


keystream  bit  produced  by  EO  at  clock-time  t 


z 


t+\ 


Z 


t+2 


-/+3 


....keystream  bit  produced  by  EO  at  clock-time  t+1 
...  keystream  bit  produced  by  EO  at  clock-time  t+2 

. keystream  bit  produced  by  EO  at  clock-time  t+3 

. Four  Memory  bits  at  clock-time  t 

Current  two-bit  block  of  Memory  bit  at  clock-time  t 
. Two-bit  block  of  Memory  bits  at  clock-time  t-1 


‘ . Two-bit  sequence 

,1 

' . First  bit  of  the  two-bit  sequence 
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' . Second  bit  of  the  two-bit  sequence 

. First  bit  of  the  current  two-bit  block  of  Memory  bits  at  clock  time  t 

. Second  bit  of  the  current  two-bit  block  of  Memory  bits  at  clock  time  t 

. First  bit  of  the  two-bit  block  of  Memory  bits  at  clock  time  t-1 

. Second  bit  of  the  two-bit  block  of  Memory  bits  at  clock  time  t-1 

I\\  . the  /-th  elementary  symmetric  polynomial  in  x] 

X1,X2,X3,X4  outputs  of  the  LFSR  at  clock-time  f  respectively. 

•^5 ’-^6 ’-^7 ’-^8  The  outputs  of  the  LFSR  at  clock-time  t+1 

respectively. 

^  outputs  of  the  1®V-.,4‘''  LFSR  at  clock-time  t+2 

respectively. 

•^13 ’-^14’ -*15 The  outputs  of  the  1®*,.-.,4*^  LFSR  at  clock-time  t+3 
respectively. 


a . keystream  bit  produced  by  EO  at  clock-time  t,  z, 

b . keystream  bit  produced  by  EO  at  clock-time  f+f, 

c . keystream  bit  produced  by  EO  at  clock-time  t+2, 

d . keystream  bit  produced  by  EO  at  clock-time  f+3,  z^^3 
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